Vulnerabilities > CVE-2001-0040 - Unspecified vulnerability in APC Apcupsd 3.7.2
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
APC UPS daemon, apcupsd, saves its process ID in a world-writable file, which allows local users to kill an arbitrary process by specifying the target process ID in the apcupsd.pid file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | APC UPS 3.7.2 (apcupsd) Local Denial of Service Exploit. CVE-2001-0040. Dos exploit for linux platform |
| id | EDB-ID:251 |
| last seen | 2016-01-31 |
| modified | 2001-01-15 |
| published | 2001-01-15 |
| reporter | the itch |
| source | https://www.exploit-db.com/download/251/ |
| title | APC UPS 3.7.2 apcupsd Local Denial of Service Exploit |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2000-077.NASL description A problem exists with the apcupsd daemon. During startup, apcupsd creates a PID file in /var/run with the ID of the daemon process. This file is used by the shutdown script to kill the daemon process. The /var/run/apcupsd.pid file is created with mode 666 permissions, meaning it is world-writeable. A malicious user can overwrite the file with arbitrary process IDs and those proceses will be killed instead of the apcupsd process during the restart or stop of the apcupsd daemon. last seen 2020-06-01 modified 2020-06-02 plugin id 61863 published 2012-09-06 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/61863 title Mandrake Linux Security Advisory : apcupsd (MDKSA-2000:077) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2000:077. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(61863); script_version("1.5"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2001-0040"); script_xref(name:"MDKSA", value:"2000:077"); script_name(english:"Mandrake Linux Security Advisory : apcupsd (MDKSA-2000:077)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "A problem exists with the apcupsd daemon. During startup, apcupsd creates a PID file in /var/run with the ID of the daemon process. This file is used by the shutdown script to kill the daemon process. The /var/run/apcupsd.pid file is created with mode 666 permissions, meaning it is world-writeable. A malicious user can overwrite the file with arbitrary process IDs and those proceses will be killed instead of the apcupsd process during the restart or stop of the apcupsd daemon." ); script_set_attribute( attribute:"solution", value:"Update the affected apcupsd package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:apcupsd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2"); script_set_attribute(attribute:"patch_publication_date", value:"2000/12/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"apcupsd-3.8.0-1.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gain a shell remotely NASL id APCUPSD_OVERFLOWS.NASL description The remote host is running the apcupsd client which, according to its version number, is affected by multiple vulnerabilities : - The configuration file last seen 2020-06-01 modified 2020-06-02 plugin id 11484 published 2003-03-26 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11484 title APC < 3.8.0 apcupsd Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(11484); script_bugtraq_id(2070, 6828, 7200); script_cve_id("CVE-2001-0040", "CVE-2003-0098", "CVE-2003-0099"); script_version ("1.20"); script_name(english:"APC < 3.8.0 apcupsd Multiple Vulnerabilities"); script_summary(english:"Checks the version of apcupsd"); script_set_attribute(attribute:"synopsis", value: "The remote host is running an application which is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running the apcupsd client which, according to its version number, is affected by multiple vulnerabilities : - The configuration file '/var/run/apcupsd.pid' is by default world-writable. A local attacker could re-write this file with other process IDs in order to crash the affected system. - An issue exists in the 'log_event' function which a local attacker could exploit in order to execute arbitrary code. - Several buffer overflow vulnerabilities have been reported which a remote attacker could exploit in order to execute arbitrary code on the remote host. *** Nessus solely relied on the version number of the *** remote server, so this might be a false positive" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Dec/102" ); script_set_attribute(attribute:"see_also", value:"http://www.novell.com/linux/security/advisories/2003_022_apcupsd.html" ); script_set_attribute(attribute:"solution", value: "Upgrading to acpupsd version 3.8.0 or newer reportedly fixes the issue." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/03/26"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/12/06"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"Gain a shell remotely"); script_dependencie("find_service1.nasl", "apcnisd_detect.nasl"); script_require_ports("Services/apcnisd", 7000); exit(0); } port = get_kb_item("Services/apcnisd"); if (! port) port = 7000; if (! get_port_state(port)) exit(0); soc = open_sock_tcp(port); if(!soc)exit(0); req = raw_string(0x00, 0x06) + "status"; send(socket:soc, data:req); r = recv(socket:soc, length:4096); if("APC" >< r && "MODEL" >< r) { r = strstr(r, "RELEASE"); if(ereg(pattern:"RELEASE.*: (3\.([0-7]\..*|8\.[0-5][^0-9]|10\.[0-4])|[0-2]\..*)", string:r)) security_hole(port); }