Etnus TotalView不安全UID/GID权限提升漏洞

发布时间：2002-03-29
更新时间：2002-03-29
严重程度：中
威胁程度：权限提升
错误类型：配置错误
利用方式：服务器模式

BUGTRAQ ID：4365

受影响系统

Etnus TotalView 5.0.0-4

详细描述
TotalView是一款调试程序，运行在Linux和Unix系统下。

在默认按装下，TotalView安装的某些文件和目录对UID 5039/GID 59有写权限，这些文件和目录由ROOT UID/GID建立，本地攻击者可以UID 5039 或者 GID 59的帐户进行访问并修改文件，如植入后门，当TotalView被ROOT用户调用的时候可以导致权限提升。

测试代码
[andrewg@blackhole advisories]$ ls -alF /usr/local/toolworks/
total 16
drwxrwxr-x 4 root root 4096 Mar 24 16:29 ./
drwxr-xr-x 19 root root 4096 Mar 24 16:29 ../
drwxrwxr-x 5 root root 4096 Mar 24 16:29 flexlm-6.1/
drwxrwxr-x 12 root root 4096 Mar 24 16:29 totalview.5.0.0-4/
[andrewg@blackhole advisories]$ ls -alF /usr/local/toolworks/totalview.5.0.0-4/
total 56
drwxrwxr-x 12 root root 4096 Mar 24 16:29 ./
drwxrwxr-x 4 root root 4096 Mar 24 16:29 ../
drwxrwxr-x 2 5039 59 4096 Mar 24 16:29 bin/
drwxrwxr-x 3 5039 59 12288 Jan 8 01:33 bitmaps/
drwxrwxr-x 2 5039 59 4096 Jan 8 01:36 fonts/
drwxrwxr-x 4 5039 59 4096 Feb 8 02:43 help/
drwxrwxr-x 2 5039 59 4096 Jan 9 06:31 include/
drwxrwxr-x 2 5039 59 4096 Jan 9 06:31 lib/
drwxrwxr-x 7 5039 59 4096 Jan 8 02:12 linux-x86/
drwxrwxr-x 3 5039 59 4096 Jan 8 01:36 man/
drwxrwxr-x 2 5039 59 4096 Jan 8 01:27 mri/
drwxrwxr-x 3 5039 59 4096 Jan 9 06:30 X11/
[andrewg@blackhole advisories]$ ls -alF /usr/local/toolworks/flexlm-6.1/
total 32
drwxrwxr-x 5 root root 4096 Mar 24 16:29 ./
drwxrwxr-x 4 root root 4096 Mar 24 16:29 ../
drwxrwxr-x 2 5039 59 4096 Jan 8 01:25 bin/
drwxrwxr-x 4 5039 59 4096 Jan 8 01:25 doc/
drwxrwxr-x 3 5039 59 4096 Jan 8 02:12 i386-linux/
-r--r--r-- 1 5039 59 228 Jan 8 01:24 license.opt.src
-r--r--r-- 1 5039 59 6959 Jan 8 01:24 README
[andrewg@blackhole advisories]$ ls -alF /usr/local/toolworks/flexlm-6.1/i386-linux/bin/
total 3244
drwxrwxr-x 2 5039 59 4096 Jan 8 02:12 ./
drwxrwxr-x 3 5039 59 4096 Jan 8 02:12 ../
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmcksum*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmdiag*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmdown*
-r-xr-xr-x 1 5039 59 260244 Jan 8 02:12 lmgrd*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmhostid*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmremove*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmreread*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmstat*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmswitchr*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmutil*
-r-xr-xr-x 10 5039 59 260572 Jan 8 02:12 lmver*
-r-xr-xr-x 1 5039 59 377356 Jan 8 02:12 toolworks*
[andrewg@blackhole advisories]$ ls -alF /usr/local/toolworks/totalview.5.0.0-4/linux-x86/bin/
total 15960
drwxrwxr-x 2 5039 59 4096 Mar 24 16:29 ./
drwxrwxr-x 7 5039 59 4096 Jan 8 02:12 ../
-r-xr-xr-x 1 5039 59 4727166 Jan 8 02:15 hyperhelp*
lrwxrwxrwx 1 5039 59 13 Mar 24 16:29 totalview -> ../../bin/tv5*
lrwxrwxrwx 1 5039 59 16 Mar 24 16:29 totalviewcli -> ../../bin/tv5cli*
lrwxrwxrwx 1 5039 59 13 Mar 24 16:29 tv5 -> ../../bin/tv5*
lrwxrwxrwx 1 5039 59 16 Mar 24 16:29 tv5cli -> ../../bin/tv5cli*
-r-xr-xr-x 1 5039 59 3412128 Feb 5 01:00 tv5climain*
-r-xr-xr-x 1 5039 59 6005964 Feb 5 00:59 tv5main*
lrwxrwxrwx 1 5039 59 16 Mar 24 16:29 tvdsvr -> ../../bin/tvdsvr*
-r-xr-xr-x 1 5039 59 373208 Feb 5 01:00 tvdsvrmain*
-r-xr-xr-x 1 5039 59 1763856 Jan 8 02:16 vismain*
lrwxrwxrwx 1 5039 59 19 Mar 24 16:29 visualize -> ../../bin/visualize*

解决方案
手工修改目录权限

相关信息
"Andrew Griffiths" <nullptr@tasmail.com>.
参考：http://online.securityfocus.com/archive/1/264085
相关主页：http://www.etnus.com/Products/TotalView/index.html

最近严重漏洞

Etnus TotalView不安全UID/GID权限提升漏洞