Richard Gooch SimpleInit 开放文件描述符漏洞

漏洞信息详情

Richard Gooch SimpleInit 开放文件描述符漏洞

• CNNVD编号：CNNVD-200208-088
• 危害等级： 高危
  
  
• CVE编号：
  CVE-2002-0767
  
• 漏洞类型：
  
  
  设计错误
  
• 发布时间：
  
  2002-08-12
  
• 威胁类型：
  
  
  本地
  
• 更新时间：
  
  2005-10-20
  
• 厂        商：
  
  richard_gooch
• 漏洞来源：
  Credited to Patric…

Linux系统的simpleinit在创建子进程时不能关闭读/写FIFO文件描述符。子进程可以利用该漏洞导致simpleinit执行拥有根目录特权的任意程序。

An unofficial patch has been provided by Patrick Smith :
— login-utils/simpleinit.c.orig 2001-09-29 11:09:10.000000000 -0400
+++ login-utils/simpleinit.c 2002-05-23 22:16:07.000000000 -0400
@@ -203,6 +203,18 @@
if ( ( initctl_fd = open (initctl_name, O_RDWR, 0) ) < 0 )
err ( _(“error opening fifo\n”) );
}
+ if ( initctl_fd >= 0 )
+ if ( fcntl (initctl_fd, F_SETFD, FD_CLOEXEC) != 0 ) {
+ err ( _(“error setting close-on-exec on /dev/initctl”) );
+ /* Can the fcntl ever fail? If it does, and we leave
+ the descriptor open in child processes, then any
+ process on the system will be able to write to
+ /dev/initctl and have us execute arbitrary commands
+ as root. So let’s refuse to use the fifo in this
+ case. */
+ close(initctl_fd);
+ initctl_fd = -1;
+ }
if ( want_single || (access (_PATH_SINGLE, R_OK) == 0) ) do_single ();
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .
@securityfocus.com>@pobox.com>

来源: BID
名称: 5001
链接:http://www.securityfocus.com/bid/5001

来源: XF
名称: simpleinit-file-descriptor-open(9357)
链接:http://www.iss.net/security_center/static/9357.php

来源: BUGTRAQ
名称: 20020613 simpleinit root exploit – file descriptor left open
链接:http://online.securityfocus.com/archive/1/276739