CVE-1999-1394 : Detail

CVE-1999-1394

0.05%V3
Local
2001-09-12
02h00 +00:00
2024-08-01
17h11 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

BSD 4.4 based operating systems, when running at security level 1, allow the root user to clear the immutable and append-only flags for files by unmounting the file system and using a file system editor such as fsdb to directly modify the file through a device.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 2.1 AV:L/AC:L/Au:N/C:N/I:P/A:N nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 19411

Publication date : 1999-07-01 22h00 +00:00
Author : Stealth
EDB Verified : Yes

source: https://www.securityfocus.com/bid/510/info In 4.4BSD derivatives there are four secure levels that provide for added filesystem security (among other things) over and above the regular unix permission systems. Part of the secure levels are the system of file flags which include immutable and append-only flags. In secure level 0, these flags are irrelevant. The vulnerability lies in the inherent flaw with security level 1. In security level 1, the file flags are acknowledged; files such as /usr/bin/login can be set immutable and so forth -- however, umounted partitions/devices can be freely written to and modified (by root, of course). Stealth <stealth@cyberspace.org> has written a tool which allows for an intruder who has gained root to bypass security level 1 through writing directly to the device and clearing the file flags. The tool also sets the CLEAN flag in the filesystem which fools the computer into thinking the modified device is clean avoiding detection at bootup. A hypothetical situation for exploit of this vulnerability is as follows, Hacker compromises root on target host. Hacker attempts backdoor insertion and realizes suid binaries are immutable. Hacker verifies secure level is set to 1. Hacker umounts /usr. Hacker writes directly to device previously mounted as /usr, clearing file flags. Hacker mounts modified device as /usr. Hacker installs backdoored /usr/bin/login. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19411.tgz

Products Mentioned

Configuraton 0

Bsd>>Bsd >> Version 4.4

References

http://marc.info/?l=bugtraq&m=93094058620450&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.securityfocus.com/bid/510
Tags : vdb-entry, x_refsource_BID