SSH受限SHELL可突破漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106688 漏洞类型 访问验证错误
发布时间 2002-04-18 更新时间 2006-09-05
CVE编号 CVE-2002-1715 CNNVD-ID CNNVD-200212-184
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/21398
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-184
|漏洞详情
SSH是一款SecureShellProtocol协议的实现,可以适用于多种操作系统。SSH存在安全漏洞,可以导致攻击者突破受限SHELL环境执行任意命令。一个授权用户如果设置成使用rbash或者rksh,远程授权用户可以上载文件到全局可写目录,并从全局目录中执行命令。在这种情况下,攻击者可以上载一脚本并执行脚本获得系统常规SEHLL,就可以突破受限制SHELL环境如rbash,然后进一步对系统进行攻击,问题存在于当命令从shell执行的时候,命令会建立一SHELL进程,然后rksh或者rbash会调用执行它。
|漏洞EXP
source: http://www.securityfocus.com/bid/4547/info

SSH (and derivatives) is the protocol Secure Shell protocol implementation. It is available for various operating systems, although this vulnerability affects operating systems such as Unix and Linux.

It has been reported that it is possible for a remote user to upload files to world-writeable directories, and execute commands from world-writeable directories. In doing so, a user may be able to upload a script, and execute the script to gain access to a regular shell on the system. This would allow the user unrestricted, but unprivileged access.

After uploading 'malicious' to /tmp:

ssh -l user host '/tmp/malicious'
|参考资料

来源:XF
名称:ssh-bypass-restricted-shells(8908)
链接:http://xforce.iss.net/xforce/xfdb/8908
来源:BID
名称:4547
链接:http://www.securityfocus.com/bid/4547
来源:NSFOCUS
名称:2637
链接:http://www.nsfocus.net/vulndb/2637