发布日期：2002-12-23
更新日期：2003-01-02

受影响系统：

MathWorks MATLAB 6.5

描述：

---

BUGTRAQ  ID: 6469

MATLAB是一种计算技术语言。

MATLAB Mex脚本存在一个漏洞，本地攻击者可以利用这个漏洞破坏本地文件。

MATLAB使用进程ID命名临时文件，本地攻击者可以预见Mex创建的临时文件名，如果攻击者建立一个符号链接到系统文件，并且MATLAB用户有权限写该系统文件，那么在Mex建立临时文件的时候就破坏了该系统，可能会造成拒绝服务攻击。

<*来源：Paul Szabo （psz@maths.usyd.edu.au）
  
  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=104065964925327&w=2
*>

建议：

---

临时解决方法：

如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：

* Paul Szabo （psz@maths.usyd.edu.au）提供如下补丁：

*** matlab/6.5/bin/matlab.old    Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/matlab    Thu Dec 19 08:36:04 2002
***************
*** 137,145 ****
  #
  # Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
  #
!     temp_file=/tmp/$$a
  #
!     trap "rm -f $temp_file; exit 1" 1 2 3 15
  #
  #========================= archlist.sh (start) ============================
  #
--- 137,147 ----
  #
  # Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
  #
!     temp_dir=/tmp/$$a
!     temp_file=$temp_dir/a
!     mkdir -m 700 $temp_dir || exit 1
  #
!     trap "rm -rf $temp_dir; exit 1" 1 2 3 15
  #
  #========================= archlist.sh (start) ============================
  #
***************
*** 1790,1798 ****
      echo '------------------------------------------------------------------------') >> $temp_file
  #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      more $temp_file
!         rm -f $temp_file
      exit 0
      fi
  #
  # Export the variables
  #
--- 1792,1801 ----
      echo '------------------------------------------------------------------------') >> $temp_file
  #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      more $temp_file
!     rm -rf $temp_dir
      exit 0
      fi
+     rm -rf $temp_dir
  #
  # Export the variables
  #

*** matlab/6.5/bin/mex.old    Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/mex    Thu Dec 19 11:07:34 2002
***************
*** 1014,1021 ****
          exit 1
      fi
      if [ "$verbose" = "1" ]; then
!         temp_file=/tmp/$$b
!         files_to_remove="$files_to_remove $temp_file"
          . $MATLAB/bin/util/oscheck.sh
          if [ "$oscheck_status" = "1" ]; then
              cleanup
--- 1014,1023 ----
          exit 1
      fi
      if [ "$verbose" = "1" ]; then
!         temp_dir=/tmp/$$b
!         temp_file=$temp_dir/b
!         files_to_remove="$files_to_remove $temp_dir"
!         mkdir -m 700 $temp_dir || exit 1
          . $MATLAB/bin/util/oscheck.sh
          if [ "$oscheck_status" = "1" ]; then
              cleanup
***************
*** 1031,1038 ****
  #
  # Source the file of argument variables, name=[def]
  #
!     if [ -f /tmp/$$a ]; then
!         . /tmp/$$a
      fi
  
  #
--- 1033,1043 ----
  #
  # Source the file of argument variables, name=[def]
  #
!     #if [ -f /tmp/$$a ]; then
!     #    . /tmp/$$a
!     #fi
!     if [ -n "$EVAL_ASSIGNS" ]; then
!       eval "$EVAL_ASSIGNS"
      fi
  
  #
***************
*** 1505,1510 ****
--- 1510,1516 ----
     ARCH=
      Arch='Undetermined'
      verbose=0
+     EVAL_ASSIGNS=
  #
  #  Use a C entry point by default
  #
***************
*** 1698,1705 ****
              *[=\#]*)
                  lhs=`expr "$1" : '\([a-zA-Z0-9_]*\)[=\#].*'`
                  rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]\(.*\)$'`
!                 echo $lhs='"'$rhs'"' >> /tmp/$$a
!                 files_to_remove="$files_to_remove /tmp/$$a"
                  ;;
              *.c) # c source file.
                  cfiles='1'
--- 1704,1712 ----
              *[=\#]*)
                  lhs=`expr "$1" : '\([a-zA-Z0-9_]*\)[=\#].*'`
                  rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]\(.*\)$'`
!                 #echo $lhs='"'$rhs'"' >> /tmp/$$a
!                 #files_to_remove="$files_to_remove /tmp/$$a"
!                 EVAL_ASSIGNS="$EVAL_ASSIGNS$lhs="'"'"$rhs"'";'
                  ;;
              *.c) # c source file.
                  cfiles='1'

厂商补丁：

MathWorks
---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.mathworks.com/

浏览次数：2833
严重程度：0（网友投票）