HP-UX 10.20 and 11 man文件覆盖漏洞

HP-UX 10.20 and 11 man文件覆盖漏洞

漏洞ID 1105870 漏洞类型 未知
发布时间 2000-06-02 更新时间 2005-05-02
图片[1]-HP-UX 10.20 and 11 man文件覆盖漏洞-安全小百科CVE编号 CVE-2000-0468
图片[2]-HP-UX 10.20 and 11 man文件覆盖漏洞-安全小百科CNNVD-ID CNNVD-200006-011
漏洞平台 HP-UX CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/19990
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200006-011
|漏洞详情
HP-UX10.20和11版本中man存在漏洞。本地攻击者借助符号链接攻击可以覆盖文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/1302/info

The programmers of the 'man' command on various HPUX releases have made several fatal mistakes that allow an attacker to trivially set a trap that could result in any arbitrary file being overwritten on the system when root runs the 'man' command.

Details:

1) man creates temporary files with predictable filenames in world-writeable directories. The two files are named catXXXX and manXXXX where XXXX is the PID of the man process (highly predictable).

2) man blindly follows symlinks.

3) man explicitly opens the temp files with mode 666 and ignores the existing umask. I verified that this doesn't change the mode of existing files to 666, but it allows for attackers to edit the tempfiles and potentially insert harmful man commands (like recent Bugtraq discussions about malicious manpages).

4) man opens the tempfiles with O_TRUNC. This means that when a file is symlinked to, that file is blindly truncated. This could lead to easy denial-of-service if you want to trash the password file or a hard disk device file. This could also have bad effects on sane man program operation, regardless of security, if a user runs man and leaves it running, then PIDs are wrapped around and someone of higher privilege runs man and overwrites your tempfiles!

Create ~65535 catXXXX or manXXXX symlinks in /tmp, pointing to the file you want to overwrite (e.g. /etc/passwd). Then wait. When root runs man, the file will be blindly overwritten with the formatted manpage contents (cat????) or unformatted (man????) are written to the symlinked file.
|参考资料

来源:BID
名称:1302
链接:http://www.securityfocus.com/bid/1302
来源:BUGTRAQ
名称:20000601HPSecurityvulnerabilityinthemancommand
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg;[email protected]

相关推荐: Microsoft Internet Explorer 6 – URL Local Resource Access

Microsoft Internet Explorer 6 – URL Local Resource Access 漏洞ID 1054485 漏洞类型 发布时间 2004-06-06 更新时间 2004-06-06 CVE编号 N/A CNNVD-ID N/A…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享