Vulnerabilities > CVE-2001-0387 - Local Format String vulnerability in Hylafax hfaxd
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Format string vulnerability in hfaxd in HylaFAX before 4.1.b2_2 allows local users to gain privileges via the -q command line argument.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2001-041.NASL description A problem exists with the HylaFAX program, hfaxd. When hfaxd tries to change it last seen 2020-06-01 modified 2020-06-02 plugin id 61912 published 2012-09-06 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/61912 title Mandrake Linux Security Advisory : hylafax (MDKSA-2001:041) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2001:041. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(61912); script_version("1.6"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2001-0387"); script_xref(name:"MDKSA", value:"2001:041"); script_name(english:"Mandrake Linux Security Advisory : hylafax (MDKSA-2001:041)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A problem exists with the HylaFAX program, hfaxd. When hfaxd tries to change it's queue directory and fails, it prints an error message via syslog by directly passing user-supplied data as the format string. If hfaxd is installed setuid root, this behaviour can be exploited to gain root access locally. Note that Linux-Mandrake does not ship hfaxd setuid root by default." ); script_set_attribute( attribute:"solution", value: "Update the affected hylafax, hylafax-client and / or hylafax-server packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:hylafax"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:hylafax-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:hylafax-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2"); script_set_attribute(attribute:"patch_publication_date", value:"2001/04/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"hylafax-4.1-0.10mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"hylafax-client-4.1-0.10mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"hylafax-server-4.1-0.10mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"hylafax-4.1-0.9mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"hylafax-client-4.1-0.9mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"hylafax-server-4.1-0.9mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-148.NASL description A set of problems have been discovered in Hylafax, a flexible client/server fax software distributed with many GNU/Linux distributions. Quoting SecurityFocus the problems are in detail : - A format string vulnerability makes it possible for users to potentially execute arbitrary code on some implementations. Due to insufficient checking of input, it last seen 2020-06-01 modified 2020-06-02 plugin id 14985 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14985 title Debian DSA-148-1 : hylafax - buffer overflows and format string vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-148. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14985); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2001-0387", "CVE-2001-1034", "CVE-2002-1049", "CVE-2002-1050"); script_bugtraq_id(3357, 5348, 5349); script_xref(name:"DSA", value:"148"); script_name(english:"Debian DSA-148-1 : hylafax - buffer overflows and format string vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A set of problems have been discovered in Hylafax, a flexible client/server fax software distributed with many GNU/Linux distributions. Quoting SecurityFocus the problems are in detail : - A format string vulnerability makes it possible for users to potentially execute arbitrary code on some implementations. Due to insufficient checking of input, it's possible to execute a format string attack. Since this only affects systems with the faxrm and faxalter programs installed setuid, Debian is not vulnerable. - A buffer overflow has been reported in Hylafax. A malicious fax transmission may include a long scan line that will overflow a memory buffer, corrupting adjacent memory. An exploit may result in a denial of service condition, or possibly the execution of arbitrary code with root privileges. - A format string vulnerability has been discovered in faxgetty. Incoming fax messages include a Transmitting Subscriber Identification (TSI) string, used to identify the sending fax machine. Hylafax uses this data as part of a format string without properly sanitizing the input. Malicious fax data may cause the server to crash, resulting in a denial of service condition. - Marcin Dawcewicz discovered a format string vulnerability in hfaxd, which will crash hfaxd under certain circumstances. Since Debian doesn't have hfaxd installed setuid root, this problem cannot directly lead into a vulnerability. This has been fixed by Darren Nickerson, which was already present in newer versions, but not in the potato version. These problems have been fixed in version 4.0.2-14.3 for the old stable distribution (potato), in version 4.1.1-1.1 for the current stable distribution (woody) and in version 4.1.2-2.1 for the unstable distribution (sid)." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2002/dsa-148" ); script_set_attribute(attribute:"solution", value:"Upgrade the hylafax packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:hylafax"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2002/08/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/04/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"hylafax-client", reference:"4.0.2-14.3")) flag++; if (deb_check(release:"2.2", prefix:"hylafax-doc", reference:"4.0.2-14.3")) flag++; if (deb_check(release:"2.2", prefix:"hylafax-server", reference:"4.0.2-14.3")) flag++; if (deb_check(release:"3.0", prefix:"hylafax-client", reference:"4.1.1-1.1")) flag++; if (deb_check(release:"3.0", prefix:"hylafax-doc", reference:"4.1.1-1.1")) flag++; if (deb_check(release:"3.0", prefix:"hylafax-server", reference:"4.1.1-1.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://archives.neohapsis.com/archives/bugtraq/2001-04/0236.html
- http://archives.neohapsis.com/archives/freebsd/2001-04/0606.html
- http://lists.suse.com/archives/suse-security-announce/2001-Apr/0005.html
- http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-041.php3
- http://www.osvdb.org/5679
- http://www.securityfocus.com/archive/1/175963
- http://www.securityfocus.com/bid/2574
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6377