OpenLDAP /usr/tmp/ 的符号连接漏洞

19次阅读
没有评论

OpenLDAP /usr/tmp/ 的符号连接漏洞

漏洞ID 1105791 漏洞类型 竞争条件
发布时间 2000-04-21 更新时间 2005-05-02
OpenLDAP /usr/tmp/ 的符号连接漏洞CVE编号 CVE-2000-0336
OpenLDAP /usr/tmp/ 的符号连接漏洞CNNVD-ID CNNVD-200004-056
漏洞平台 Linux CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/19946
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200004-056
|漏洞详情
LinuxOpenLDAP服务器存在漏洞,本地用户可以通过符号连接攻击修改任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/1232/info

A vulnerability exists in OpenLDAP as shipped with some versions of Linux, including RedHat 6.1 and 6.2, and TurboLinux 6.0.2 and earlier. OpenLDAP will create files in /usr/tmp, which is actually a symbolic link to the world writable /tmp directory. As OpenLDAP does not check for a files existence prior to opening the files in /usr/tmp, it is possible for an attacker to point an appropriately named symbolic link at any file on the filesystem, and cause it to be destroyed.

This vulnerability will also affect any Unix system with OpenLDAP assuming the following criteria is true:
1) slapd.conf configures the "directory" variable to be /usr/tmp
2) /usr/tmp is a world writable directory.
3) slurpd was built with the DEFAULT_SLURPD_REPLICA_DIR set to /usr/tmp 

ln -sf /etc/passwd /usr/tmp/NEXTID
|参考资料

来源:CALDERA
名称:CSSA-2000-009.0
链接:ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-009.0.txt
来源:TURBO
名称:TLSA2000010-1
链接:http://www.turbolinux.com/pipermail/tl-security-announce/2000-May/000009.html
来源:BID
名称:1232
链接:http://www.securityfocus.com/bid/1232
来源:REDHAT
名称:RHSA-2000:012
链接:http://www.redhat.com/support/errata/RHSA-2000-012.html

相关推荐: McAfee VirusScan 4.03 Alert File Vulnerability

McAfee VirusScan 4.03 Alert File Vulnerability 漏洞ID 1104062 漏洞类型 Origin Validation Error 发布时间 2000-06-08 更新时间 2000-06-08 CVE编号 N/A…

正文完
 0