UTempter Multiple Local Vulnerabilities
BID:10178
Info
UTempter Multiple Local Vulnerabilities
| Bugtraq ID: | 10178 |
| Class: | Unknown |
| CVE: |
CVE-2004-0233 |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 19 2004 12:00AM |
| Updated: | Jul 12 2009 04:06AM |
| Credit: | Discovery of these issues has been credited to Steve Grubb. |
| Vulnerable: |
utempter utempter 0.5.3 utempter utempter 0.5.2 Sun Java Desktop System (JDS) 2.0 Sun Java Desktop System (JDS) 2003 Slackware Linux 9.1 Slackware Linux -current SGI ProPack 3.0 SGI ProPack 2.4 Redhat utempter-0.5.2-16.i386.rpm |
| Not Vulnerable: |
utempter utempter 0.5.5 .4 |
Discussion
UTempter Multiple Local Vulnerabilities
It has been reported that utempter is affected by multiple local vulnerabilities. The first issue is due to an input validation error that causes the application to exit improperly; facilitating symbolic link attacks. The second issue is due to a failure of the application to properly validate buffer boundaries.
The first issue results in a symbolic link vulnerability. Since utempter runs with root privileges, this issue could be leveraged to corrupt arbitrary, attacker-specified system files.
The second problem presents itself when utempter processes certain strings. These errors may cause the affected process to crash. It has been conjectured that this may be leveraged to execute arbitrary code on the affected system, however this is currently unverified.
This BID will be updated as new information becomes available.
It has been reported that utempter is affected by multiple local vulnerabilities. The first issue is due to an input validation error that causes the application to exit improperly; facilitating symbolic link attacks. The second issue is due to a failure of the application to properly validate buffer boundaries.
The first issue results in a symbolic link vulnerability. Since utempter runs with root privileges, this issue could be leveraged to corrupt arbitrary, attacker-specified system files.
The second problem presents itself when utempter processes certain strings. These errors may cause the affected process to crash. It has been conjectured that this may be leveraged to execute arbitrary code on the affected system, however this is currently unverified.
This BID will be updated as new information becomes available.
Exploit / POC
UTempter Multiple Local Vulnerabilities
The following proof of concept has been provided to leverage the symbolic link issue:
An attacker would create the following symbolic link that references an arbitrary system file:
/tmp/tty0
The attacker would then provide the following device descriptor string to the application:
/dev/../tmp/tty0
The following proof of concept has been provided to leverage the symbolic link issue:
An attacker would create the following symbolic link that references an arbitrary system file:
/tmp/tty0
The attacker would then provide the following device descriptor string to the application:
/dev/../tmp/tty0
Solution / Fix
UTempter Multiple Local Vulnerabilities
Solution:
Red Hat has released an advisory RHSA-2004:175-01 and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes.
Mandrake has released an advisory MDKSA-2004:031-1 and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes.
Slackware Linux has released advisory SSA:2004-110-01 and updates dealing with this issue.
Red Hat Fedora has released advisory FEDORA-2004-108 and information on updated the affected application. Please see the referenced advisory for more information.
Gentoo Linux has released advisory GLSA 200405-05 dealing with this issue. It is recommended that affected users issue these commands to ensure their system is properly updated:
# emerge sync
# emerge -pv ">=sys-apps/utempter-0.5.5.4"
# emerge ">=sys-apps/utempter-0.5.5.4"
Red Hat Fedora Legacy has released advisory FLSA:1546 dealing with this issue for Red Hat Linux 8.0, 7.3 and 7.2. Please see the referenced advisory for more information.
Red Hat has released advisory RHSA-2004:174-09 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.
SGI has released an advisory (20040603-01-U) to address this and other issues in SGI ProPack 3. Please see the referenced advisory for more information.
SGI has released an advisory (20040602-01-U) to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information.
Sun has released Sun Alert Notification #57658 to address this issue in Sun Java Desktop System operating systems. Please see the referenced alert for further information on obtaining fixes.
Redhat utempter-0.5.2-16.i386.rpm
Slackware Linux -current
utempter utempter 0.5.2
utempter utempter 0.5.3
SGI ProPack 2.4
SGI ProPack 3.0
Slackware Linux 9.1
Solution:
Red Hat has released an advisory RHSA-2004:175-01 and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes.
Mandrake has released an advisory MDKSA-2004:031-1 and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes.
Slackware Linux has released advisory SSA:2004-110-01 and updates dealing with this issue.
Red Hat Fedora has released advisory FEDORA-2004-108 and information on updated the affected application. Please see the referenced advisory for more information.
Gentoo Linux has released advisory GLSA 200405-05 dealing with this issue. It is recommended that affected users issue these commands to ensure their system is properly updated:
# emerge sync
# emerge -pv ">=sys-apps/utempter-0.5.5.4"
# emerge ">=sys-apps/utempter-0.5.5.4"
Red Hat Fedora Legacy has released advisory FLSA:1546 dealing with this issue for Red Hat Linux 8.0, 7.3 and 7.2. Please see the referenced advisory for more information.
Red Hat has released advisory RHSA-2004:174-09 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.
SGI has released an advisory (20040603-01-U) to address this and other issues in SGI ProPack 3. Please see the referenced advisory for more information.
SGI has released an advisory (20040602-01-U) to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information.
Sun has released Sun Alert Notification #57658 to address this issue in Sun Java Desktop System operating systems. Please see the referenced alert for further information on obtaining fixes.
Redhat utempter-0.5.2-16.i386.rpm
-
RedHat utempter-0.5.5-2.RHL9.0.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/utempter-0.5.5-2.RHL9.0.i386.rpm
Slackware Linux -current
-
Slackware utempter-1.1.1-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/ut empter-1.1.1-i486-1.tgz
utempter utempter 0.5.2
-
Fedora utempter-0.5.2-6.7.x.1.legacy.i386.rpm
Red Hat Linux 7.2 & 7.3
http://download.fedoralegacy.org/redhat/7.2/updates/i386/utempter-0.5. 2-6.7.x.1.legacy.i386.rpm -
Fedora utempter-0.5.2-6.8.0.1.legacy.i386.rpm
Red Hat Linux 8.0
http://download.fedoralegacy.org/redhat/8.0/updates/i386/utempter-0.5. 2-6.8.0.1.legacy.i386.rpm -
Mandrake lib64utempter0-0.5.2-12.2.100mdk.amd64.rpm
Mandrake Linux 10.0/AMD64
http://www.mandrakesecure.net/en/ftp.php -
Mandrake lib64utempter0-0.5.2-12.2.92mdk.amd64.rpm
Mandrake Linux 9.2/AMD64
http://www.mandrakesecure.net/en/ftp.php -
Mandrake lib64utempter0-devel-0.5.2-12.2.100mdk.amd64.rpm
Mandrake Linux 10.0/AMD64
http://www.mandrakesecure.net/en/ftp.php -
Mandrake lib64utempter0-devel-0.5.2-12.2.92mdk.amd64.rpm
Mandrake Linux 9.2/AMD64
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-10.1.91mdk.i586.rpm
Mandrakelinux 9.1:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-10.1.91mdk.ppc.rpm
Mandrakelinux 9.1/PPC:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-10.2.91mdk.i586.rpm
Mandrake Linux 9.1
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-10.2.91mdk.ppc.rpm
Mandrake Linux 9.1/PPC
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-11.1.C21mdk.i586.rpm
Corporate Server 2.1:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-11.1.C21mdk.x86_64.rpm
Corporate Server 2.1/x86_64:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-11.2.C21mdk.i586.rpm
Mandrake Corporate Server 2.1
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-11.2.C21mdk.x86_64.rpm
Mandrake Corporate Server 2.1/X86_64
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-12.1.100mdk.i586.rpm
Mandrakelinux 10.0:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-12.1.92mdk.i586.rpm
Mandrakelinux 9.2:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-12.2.100mdk.i586.rpm
Mandrake Linux 10.0
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-12.2.92mdk.i586.rpm
Mandrake Linux 9.2
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-5.1.M82mdk.i586.rpm
Multi Network Firewall 8.2:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-0.5.2-5.2.M82mdk.i586.rpm
Mandrake Multi Network Firewall 8.2
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-devel-0.5.2-10.1.91mdk.i586.rpm
Mandrakelinux 9.1:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-devel-0.5.2-10.1.91mdk.ppc.rpm
Mandrakelinux 9.1/PPC:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-devel-0.5.2-10.2.91mdk.i586.rpm
Mandrake Linux 9.1
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-devel-0.5.2-10.2.91mdk.ppc.rpm
Mandrake Linux 9.1/PPC
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-devel-0.5.2-11.1.C21mdk.i586.rpm
Corporate Server 2.1:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-devel-0.5.2-11.2.C21mdk.i586.rpm
Mandrake Corporate Server 2.1
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-devel-0.5.2-11.2.C21mdk.x86_64.rpm
Mandrake Corporate Server 2.1/X86_64
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-devel-0.5.2-12.1.100mdk.i586.rpm
Mandrakelinux 10.0:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-devel-0.5.2-12.1.92mdk.i586.rpm
Mandrakelinux 9.2:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-devel-0.5.2-12.2.100mdk.i586.rpm
Mandrake Linux 10.0
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-devel-0.5.2-12.2.92mdk.i586.rpm
Mandrake Linux 9.2
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-devel-0.5.2-5.1.M82mdk.i586.rpm
Multi Network Firewall 8.2:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake libutempter0-devel-0.5.2-5.2.M82mdk.i586.rpm
Mandrake Multi Network Firewall 8.2
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-10.1.91mdk.i586.rpm
Mandrakelinux 9.1:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-10.1.91mdk.ppc.rpm
Mandrakelinux 9.1/PPC:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-10.2.91mdk.i586.rpm
Mandrake Linux 9.1
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-10.2.91mdk.ppc.rpm
Mandrake Linux 9.1/PPC
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-11.1.C21mdk.i586.rpm
Corporate Server 2.1:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-11.1.C21mdk.x86_64.rpm
Corporate Server 2.1/x86_64:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-11.2.C21mdk.i586.rpm
Mandrake Corporate Server 2.1
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-11.2.C21mdk.x86_64.rpm
Mandrake Corporate Server 2.1/X86_64
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-12.1.100mdk.i586.rpm
Mandrakelinux 10.0:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-12.1.92mdk.amd64.rpm
Mandrakelinux 9.2/AMD64:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-12.1.92mdk.i586.rpm
Mandrakelinux 9.2:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-12.2.100mdk.amd64.rpm
Mandrake Linux 10.0/AMD64
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-12.2.100mdk.i586.rpm
Mandrake Linux 10.0
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-12.2.92mdk.amd64.rpm
Mandrake Linux 9.2/AMD64
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-12.2.92mdk.i586.rpm
Mandrake Linux 9.2
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-5.1.M82mdk.i586.rpm
Multi Network Firewall 8.2:
http://www.mandrakesecure.net/en/ftp.php -
Mandrake utempter-0.5.2-5.2.M82mdk.i586.rpm
Mandrake Multi Network Firewall 8.2
http://www.mandrakesecure.net/en/ftp.php
utempter utempter 0.5.3
-
Fedora utempter-0.5.5-3.FC1.0.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386 /utempter-0.5.5-3.FC1.0.i386.rpm -
Fedora utempter-0.5.5-3.FC1.0.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/x86_ 64/utempter-0.5.5-3.FC1.0.x86_64.rpm -
Fedora utempter-debuginfo-0.5.5-3.FC1.0.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386 /debug/utempter-debuginfo-0.5.5-3.FC1.0.i386.rpm -
Fedora utempter-debuginfo-0.5.5-3.FC1.0.x86_64.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/x86_ 64/x86_64/debug/utempter-debuginfo-0.5.5-3.FC1.0.x86_64.rpm
SGI ProPack 2.4
-
SGI patch10079.tar.gz
ftp://patches.sgi.com/support/free/security/patches/ProPack/2.4/patch1 0079.tar.gz
SGI ProPack 3.0
-
SGI patch10080.tar.gz
ftp://patches.sgi.com/support/free/security/patches/ProPack/3/patch100 80.tar.gz
Slackware Linux 9.1
-
Slackware utempter-1.1.1-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/u tempter-1.1.1-i486-1.tgz
References
UTempter Multiple Local Vulnerabilities
References:
References: