Vulnerabilities > CVE-2001-0623 - Local Security vulnerability in Sendfile
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
sendfiled, as included with Simple Asynchronous File Transfer (SAFT), on various Linux systems does not properly drop privileges when sending notification emails, which allows local attackers to gain privileges.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Exploit-Db
description Sendfile 1.x/2.1 Local Privileged Arbitrary Command Execution Vulnerability. CVE-2001-0623. Local exploit for linux platform id EDB-ID:20795 last seen 2016-02-02 modified 2001-04-24 published 2001-04-24 reporter psheep source https://www.exploit-db.com/download/20795/ title Sendfile 1.x/2.1 - Local Privileged Arbitrary Command Execution Vulnerability description Sendfile 1.x/2.1 Forced Privilege Lowering Failure Vulnerability. CVE-2001-0623. Local exploit for linux platform id EDB-ID:20798 last seen 2016-02-02 modified 2001-04-24 published 2001-04-24 reporter Cade Cairns source https://www.exploit-db.com/download/20798/ title Sendfile 1.x/2.1 - Forced Privilege Lowering Failure Vulnerability
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-052.NASL description Daniel Kobras has discovered and fixed a problem in sendfiled which caused the daemon not to drop privileges as expected when sending notification mails. Exploiting this, a local user can easily make it execute arbitrary code under root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 14889 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14889 title Debian DSA-052-1 : sendfile - broken dropping of privileges code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-052. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14889); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:16"); script_cve_id("CVE-2001-0623"); script_xref(name:"DSA", value:"052"); script_name(english:"Debian DSA-052-1 : sendfile - broken dropping of privileges"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Daniel Kobras has discovered and fixed a problem in sendfiled which caused the daemon not to drop privileges as expected when sending notification mails. Exploiting this, a local user can easily make it execute arbitrary code under root privileges." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2001/dsa-052" ); script_set_attribute( attribute:"solution", value:"Upgrade the sendfile package immediately." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:sendfile"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"patch_publication_date", value:"2001/04/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"sendfile", reference:"2.1-20.3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-050.NASL description Colin Phipps and Daniel Kobras discovered and fixed several serious bugs in the saft daemon `sendfiled last seen 2020-06-01 modified 2020-06-02 plugin id 14887 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14887 title Debian DSA-050-1 : sendfile - broken privileges dropping, broken tempfile code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-050. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14887); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:16"); script_cve_id("CVE-2001-0623"); script_xref(name:"DSA", value:"050"); script_name(english:"Debian DSA-050-1 : sendfile - broken privileges dropping, broken tempfile"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Colin Phipps and Daniel Kobras discovered and fixed several serious bugs in the saft daemon `sendfiled' which caused it to drop privileges incorrectly. Exploiting this a local user can easily make it execute arbitrary code under root privileges." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2001/dsa-050" ); script_set_attribute( attribute:"solution", value:"Upgrade the sendfile packages immediately." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:sendfile"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"patch_publication_date", value:"2001/04/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"sendfile", reference:"2.1-20.2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");