UTempter Multiple Local Vulnerabilities

BID:10178

Info

UTempter Multiple Local Vulnerabilities

Bugtraq ID: 10178
Class: Unknown
CVE: CVE-2004-0233
Remote: No
Local: Yes
Published: Apr 19 2004 12:00AM
Updated: Jul 12 2009 04:06AM
Credit: Discovery of these issues has been credited to Steve Grubb.
Vulnerable: utempter utempter 0.5.3
utempter utempter 0.5.2
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 10.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.1
Sun Java Desktop System (JDS) 2.0
Sun Java Desktop System (JDS) 2003
Slackware Linux 9.1
Slackware Linux -current
SGI ProPack 3.0
SGI ProPack 2.4
Redhat utempter-0.5.2-16.i386.rpm
+ Redhat Linux 9.0 i386
Not Vulnerable: utempter utempter 0.5.5 .4

Discussion

UTempter Multiple Local Vulnerabilities

It has been reported that utempter is affected by multiple local vulnerabilities. The first issue is due to an input validation error that causes the application to exit improperly; facilitating symbolic link attacks. The second issue is due to a failure of the application to properly validate buffer boundaries.

The first issue results in a symbolic link vulnerability. Since utempter runs with root privileges, this issue could be leveraged to corrupt arbitrary, attacker-specified system files.

The second problem presents itself when utempter processes certain strings. These errors may cause the affected process to crash. It has been conjectured that this may be leveraged to execute arbitrary code on the affected system, however this is currently unverified.

This BID will be updated as new information becomes available.

Exploit / POC

UTempter Multiple Local Vulnerabilities

The following proof of concept has been provided to leverage the symbolic link issue:

An attacker would create the following symbolic link that references an arbitrary system file:

/tmp/tty0

The attacker would then provide the following device descriptor string to the application:

/dev/../tmp/tty0

Solution / Fix

UTempter Multiple Local Vulnerabilities

Solution:
Red Hat has released an advisory RHSA-2004:175-01 and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes.

Mandrake has released an advisory MDKSA-2004:031-1 and fixes to address this issue. Please see referenced advisory for further details regarding obtaining and applying appropriate fixes.

Slackware Linux has released advisory SSA:2004-110-01 and updates dealing with this issue.

Red Hat Fedora has released advisory FEDORA-2004-108 and information on updated the affected application. Please see the referenced advisory for more information.

Gentoo Linux has released advisory GLSA 200405-05 dealing with this issue. It is recommended that affected users issue these commands to ensure their system is properly updated:
# emerge sync
# emerge -pv ">=sys-apps/utempter-0.5.5.4"
# emerge ">=sys-apps/utempter-0.5.5.4"

Red Hat Fedora Legacy has released advisory FLSA:1546 dealing with this issue for Red Hat Linux 8.0, 7.3 and 7.2. Please see the referenced advisory for more information.

Red Hat has released advisory RHSA-2004:174-09 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

SGI has released an advisory (20040603-01-U) to address this and other issues in SGI ProPack 3. Please see the referenced advisory for more information.

SGI has released an advisory (20040602-01-U) to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information.

Sun has released Sun Alert Notification #57658 to address this issue in Sun Java Desktop System operating systems. Please see the referenced alert for further information on obtaining fixes.


Redhat utempter-0.5.2-16.i386.rpm

Slackware Linux -current

utempter utempter 0.5.2

utempter utempter 0.5.3

SGI ProPack 2.4

SGI ProPack 3.0

Slackware Linux 9.1

References

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report