Vulnerabilities > CVE-2000-0947 - Unspecified vulnerability in GNU Cfengine 1.5/1.5.34/1.6

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
gnu
critical
nessus

Summary

Format string vulnerability in cfd daemon in GNU CFEngine before 1.6.0a11 allows attackers to execute arbitrary commands via format characters in the CAUTH command.

Vulnerable Configurations

Part Description Count
Application
Gnu
3

Nessus

  • NASL familyGain a shell remotely
    NASL idCFENGINE_FORMAT_STRING_VULN.NASL
    descriptionCfengine is running on this remote host. Cfengine contains a component, cfd, which serves as a remote-configuration client to cfengine. This version of cfd contains several flaws in the way that it calls syslog(). As a result, trusted hosts and valid users (if access controls are not in place) can cause the vulnerable host to log malicious data which, when logged, can either crash the server or execute arbitrary code on the stack. In the latter case, the code would be executed as the
    last seen2020-06-01
    modified2020-06-02
    plugin id14316
    published2004-08-20
    reporterThis script is Copyright (C) 2004-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/14316
    titleCfengine CAUTH Command Remote Format String
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(14316);
     script_version("1.17");
     script_cvs_date("Date: 2018/07/03 15:35:24");
    
     script_cve_id("CVE-2000-0947");
     script_bugtraq_id(1757);
    
     script_name(english:"Cfengine CAUTH Command Remote Format String");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is affected by a remote command execution 
    vulnerability." );
     script_set_attribute(attribute:"description", value:
    "Cfengine is running on this remote host.
    
    Cfengine contains a component, cfd, which serves as a 
    remote-configuration client to cfengine.  This version of cfd contains 
    several flaws in the way that it calls syslog().  As a result, trusted
    hosts and valid users (if access controls are not in place) can cause
    the vulnerable host to log malicious data which, when logged, can 
    either crash the server or execute arbitrary code on the stack.  In 
    the latter case, the code would be executed as the 'root' user." );
     script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2328dff9" );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to 1.6.0a11 or newer" );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/20");
     script_set_attribute(attribute:"vuln_publication_date", value: "2000/10/01");
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_end_attributes();
     
     script_summary(english:"check for cfengine flaw based on its version");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2004-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
     script_family(english:"Gain a shell remotely");
     script_require_ports(5308);
    
     script_dependencies("cfengine_detect.nasl");
     exit(0);
    }
    
    port = 5308;
    if ( ! get_kb_item("cfengine/running") ) exit(0);
    
    version = get_kb_item("cfengine/version");
    
    if (version)
    {
     	if (egrep(pattern:"^1\.([0-5]\..*|6\.0a([0-9]|10)[^0-9])", string:version))
      		security_hole(port);
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2000-061.NASL
    descriptionThe GNU cfengine is an abstract programming language for system administrators of large heterogeneous networks, used for maintenance and administration. There are a number of string format vulnerabilities in syslog() calls that can be abused to either make the cfengine program segfault and die or to execute arbitrary commands as the user the cfengine program runs as (usually root). The problems are fixed in this update and all Linux-Mandrake users are encouraged to upgrade.
    last seen2020-06-01
    modified2020-06-02
    plugin id61848
    published2012-09-06
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/61848
    titleMandrake Linux Security Advisory : cfengine (MDKSA-2000:061)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2000:061. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(61848);
      script_version("1.5");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2000-0947");
      script_xref(name:"MDKSA", value:"2000:061");
    
      script_name(english:"Mandrake Linux Security Advisory : cfengine (MDKSA-2000:061)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Mandrake Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The GNU cfengine is an abstract programming language for system
    administrators of large heterogeneous networks, used for maintenance
    and administration. There are a number of string format
    vulnerabilities in syslog() calls that can be abused to either make
    the cfengine program segfault and die or to execute arbitrary commands
    as the user the cfengine program runs as (usually root). The problems
    are fixed in this update and all Linux-Mandrake users are encouraged
    to upgrade."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected cfengine package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cfengine");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2000/10/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"cfengine-1.5.4-5mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");