镜像文件创建漏洞

漏洞信息详情

镜像文件创建漏洞

• CNNVD编号：CNNVD-200009-002
• 危害等级： 中危
  
  
• CVE编号：
  CVE-2000-0354
  
• 漏洞类型：
  
  
  输入验证
  
• 发布时间：
  
  2000-09-28
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-05-02
  
• 厂        商：
  
  lee_mcloughlin
• 漏洞来源：
  This vulnerability…

Linux系统中的镜像文件存在漏洞。远程攻击者利用该漏洞创建本地目标目录的上一级文件。

Apply the following patch to mirror:
*** mirror.pl Mon Jun 8 11:55:27 1998
— /usr/local/mirror2.9/mirror Wed Sep 29 16:34:01 1999
***************
*** 2657,2662 ****
— 2657,2701 —-
$no_rename = (! $remote_has_rename) || ($remote_fs eq ‘macos’ && ! $get_file);
foreach $src_path ( @xfer_src ){
+
+ ##
+ #BEGIN jcp@EUnet.pt 1999/09/29
+ #
+ #Date: Tue, 28 Sep 1999 18:27:54 +0400
+ #From: 3APA3A
+ #To: BUGTRAQ@SECURITYFOCUS.COM
+ #Subject: mirror 2.9 hole
+ #
+ #Hello BUGTRAQ@SECURITYFOCUS.COM,
+ #
+ #mirror is a Perl script which is widely used for making copy of remote
+ #FTP site. It’s included in FreeBSD packages. There are security holes,
+ #which allows overwrite local files from remote ftp site with
+ #permissions of the user who uses mirror. Then retrieving directory
+ #listing mirror doesn’t check filename or directory name to contain
+ #”..” or “\” This allows to create or overwrite files in directory
+ #different from destination.
+ #
+ #To simply test this bug you can create ” ..” directory on your ftp
+ #site and mirror your site. Mirror will create temporary files in
+ #directory one level higher then specifyed. This way you couldn’t
+ #overwrite some useful information, but this may be used, for example,
+ #to fill out / directory (if mirror is ran from root).
+ #
+ #But with putting little changes into you ftpd (for example making him
+ #change ‘\’ to ‘/’ on listings) you can force mirror to overwrite _any_
+ #file with permissions of mirror user then he mirrors your ftp site.
+ #
+ #
+ #Tested with:
+ #$ mirror -v
+ #$Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $
+
+ if( $src_path =~ /\w*\.\.\//){
+ &msg( $log, “WARNING: BAD dir detected, skipping: $src_path\n” );
+ next;
+ }
+ #END jcp@EUnet.pt
if( $get_file ){
$srci = $remote_map{ $src_path };
}
@tomcat.ru>

来源: BUGTRAQ
名称: 19990928 mirror 2.9 hole
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg=15769.990928@tomcat.ru

来源: BID
名称: 681
链接:http://www.securityfocus.com/bid/681

来源: SUSE
名称: 19991001 Security hole in mirror
链接:http://www.novell.com/linux/security/advisories/suse_security_announce_22.html

来源: DEBIAN
名称: 19991018 Incorrect directory name handling in mirror
链接:http://www.debian.org/security/1999/19991018