Overland Storage Snap Server 410 'less' Command 本地特权提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118602 漏洞类型 权限许可和访问控制
发布时间 2009-10-20 更新时间 2010-01-13
CVE编号 CVE-2009-4607 CNNVD-ID CNNVD-201001-108
漏洞平台 Hardware CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/9955
https://cxsecurity.com/issue/WLB-2010010175
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201001-108
|漏洞详情
具有GuardianOS5.1.041的OverlandStorageSnapServer410中的指令行界面,在外壳溢出命令上运行具有较高特权uid的功能,该功能与限制不足的CLI用户相比"较小",这会允许本地用户运行"!"字符获得特权并访问特权外壳程序。
|漏洞EXP
Device: Snap Server 410
OS: GuardianOS 5.1.041
Description: When logged in to CLI via ssh as admin (uid=1) you can escalate your privileges to uid 0 and get /bin/sh. In order to achieve this open 'less' which is available as default for viewing files (ie. less /tmp/top.log) and type in '!/bin/sh'. This will give you direct access to sh shell with UID 0. Tested only on OS version as above.
|参考资料

来源:XF
名称:snapserver-less-priv-escalation(53881)
链接:http://xforce.iss.net/xforce/xfdb/53881
来源:BID
名称:36739
链接:http://www.securityfocus.com/bid/36739
来源:BUGTRAQ
名称:20091020OverlandGuardianOSCLIcommandlinebug-letyougetuid0shell
链接:http://www.securityfocus.com/archive/1/archive/1/507318/100/0/threaded
来源:MISC
链接:http://www.juniper.net/security/auto/vulnerabilities/vuln36739.html