Third-party CVSup Binary Insecure ELF RPATH Library Replacement Vulnerability
BID:9523
Info
Third-party CVSup Binary Insecure ELF RPATH Library Replacement Vulnerability
| Bugtraq ID: | 9523 |
| Class: | Configuration Error |
| CVE: |
CVE-2004-2133 |
| Remote: | No |
| Local: | Yes |
| Published: | Jan 29 2004 12:00AM |
| Updated: | Jul 12 2009 02:06AM |
| Credit: | Discovery is credited to Matthias Andree. |
| Vulnerable: |
S.u.S.E. cvsup-16.1h-43.i586.rpm S.u.S.E. cvsup-16.1h-36.i586.rpm S.u.S.E. cvsup-16.1h-2.i386.rpm |
| Not Vulnerable: |
S.u.S.E. cvsup-16.1h-90.i586.rpm |
Discussion
Third-party CVSup Binary Insecure ELF RPATH Library Replacement Vulnerability
It has been reported that some third-party vendor-supplied CVSup binaries may have an insecure ELF RPATH that includes world-writeable directories in the path. A local attacker could exploit this issue by placing malicious libraries in these directories, which would be dynamically linked against at run-time when the cvsup, cvsupd or cvpasswd programs are executed. This would result in execution of arbitrary code with elevated privileges.
This issue was reported to affect CVSup RPMs that ship with SuSE Linux. Other distributions may also be affected. Statically linked versions of the software should not be affected by this version.
It has been reported that some third-party vendor-supplied CVSup binaries may have an insecure ELF RPATH that includes world-writeable directories in the path. A local attacker could exploit this issue by placing malicious libraries in these directories, which would be dynamically linked against at run-time when the cvsup, cvsupd or cvpasswd programs are executed. This would result in execution of arbitrary code with elevated privileges.
This issue was reported to affect CVSup RPMs that ship with SuSE Linux. Other distributions may also be affected. Statically linked versions of the software should not be affected by this version.
Exploit / POC
Third-party CVSup Binary Insecure ELF RPATH Library Replacement Vulnerability
There is no exploit required.
There is no exploit required.
Solution / Fix
Third-party CVSup Binary Insecure ELF RPATH Library Replacement Vulnerability
Solution:
SuSE has released an updated RPM for CVSup to address this issue.
S.u.S.E. cvsup-16.1h-2.i386.rpm
S.u.S.E. cvsup-16.1h-36.i586.rpm
S.u.S.E. cvsup-16.1h-43.i586.rpm
Solution:
SuSE has released an updated RPM for CVSup to address this issue.
S.u.S.E. cvsup-16.1h-2.i386.rpm
-
SuSE cvsup-16.1h-90.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cvsup-16.1h-90.i5 86.rpm
S.u.S.E. cvsup-16.1h-36.i586.rpm
-
SuSE cvsup-16.1h-90.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cvsup-16.1h-90.i5 86.rpm
S.u.S.E. cvsup-16.1h-43.i586.rpm
-
SuSE cvsup-16.1h-90.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cvsup-16.1h-90.i5 86.rpm
References
Third-party CVSup Binary Insecure ELF RPATH Library Replacement Vulnerability
References:
References:
- CVSup Homepage (CVSup)
- Security Announcement: untrusted ELF library path in some cvsup binary RPMs (Matthias Andree
)