SunOS 4.1.3 - LD_LIBRARY_PATH / LD_OPTIONS

  • SunOS 4.1.3 - LD_LIBRARY_PATH / LD_OPTIONS已关闭评论
  • 7 views
  • A+
所属分类:安全客_漏洞

SunOS 4.1.3 - LD_LIBRARY_PATH / LD_OPTIONS

漏洞ID 1053336 漏洞类型
发布时间 1992-05-27 更新时间 1992-05-27
SunOS 4.1.3 - LD_LIBRARY_PATH / LD_OPTIONSCVE编号 N/A
SunOS 4.1.3 - LD_LIBRARY_PATH / LD_OPTIONSCNNVD-ID N/A
漏洞平台 Solaris CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/19044
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/43/info

There exists a vulnerability involving environment variables and setuid/setgid programs under SunOS 4.0 and higher.

A dynamically-linked program that is invoked by a setuid/setgid program has access to the caller's LD_* environmental variables if the setuid/setgid program sets the real and effective UIDs to be equal and the real and effective GIDs to be equal before the dynamically-linked program is executed. A vulnerability exists if the UIDs and GIDs are not equal to those of the user that invoked the setuid/setgid program.

In particular, SunOS /usr/lib/sendmail, /usr/bin/login, /usr/bin/su, and /usr/5bin/su are vulnerable to this problem.

In-house and third-party software can also be impacted by this vulnerability. For example, the current versions of rnews, sudo, smount, and npasswd are known to be vulnerable under SunOS. 

This or similar vulnerabilities have been found in other unix operating systems.

It seems Sun's solution is to call the dynamicly linked programs without both the real and effective uid and gid being the same. This is rather subobtimal as third party programs are left vulnerable. A better solutio is to mark a process as having changed it's uid or gid within the kernel. The dynamic linker can then query this information and use the LD_* variables depending on the results.

$ mkdir /tmp/mylib
$ cp libevil.so /tmp/mylib
$ export LD_LIBRARY_PATH=/tmp/mylib
$ /bin/login
#

相关推荐: WordPress?安全漏洞

WordPress?安全漏洞 漏洞ID 2405671 漏洞类型 其他 发布时间 2021-04-05 更新时间 2021-04-06 CVE编号 CVE-2021-24170 CNNVD-ID CNNVD-202104-156 漏洞平台 N/A CVSS评分…