Vulnerabilities > CVE-2001-1022
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Format string vulnerability in pic utility in groff 1.16.1 and other versions, and jgroff before 1.15, allows remote attackers to bypass the -S option and execute arbitrary commands via format string specifiers in the plot command.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 | |
| Application | 1 |
Exploit-Db
| description | GNU groff 1.1x xploitation Via LPD Vulnerability. CVE-2001-1022 . Remote exploit for linux platform |
| id | EDB-ID:21037 |
| last seen | 2016-02-02 |
| modified | 2001-06-23 |
| published | 2001-06-23 |
| reporter | zen-parse |
| source | https://www.exploit-db.com/download/21037/ |
| title | GNU groff 1.1x xploitation Via LPD Vulnerability |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-072.NASL description Zenith Parse found a security problem in groff (the GNU version oftroff). The pic command was vulnerable to a printf format attack which made it possible to circumvent the `-S last seen 2020-06-01 modified 2020-06-02 plugin id 14909 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14909 title Debian DSA-072-1 : groff - printf format attack code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-072. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14909); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:16"); script_cve_id("CVE-2001-1022"); script_bugtraq_id(3103); script_xref(name:"DSA", value:"072"); script_name(english:"Debian DSA-072-1 : groff - printf format attack"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Zenith Parse found a security problem in groff (the GNU version oftroff). The pic command was vulnerable to a printf format attack which made it possible to circumvent the `-S' option and execute arbitrary code." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2001/dsa-072" ); script_set_attribute( attribute:"solution", value: "This has been fixed in version 1.15.2-2, and we recommend that you upgrade your groff packages immediately." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:groff"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"patch_publication_date", value:"2001/08/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/07/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"groff", reference:"1.15.2-2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-107.NASL description Basically, this is the same Security Advisory as DSA 072-1, but for jgroff instead of groff. The package jgroff contains a version derived from groff that has Japanese character sets enabled. This package is available only in the stable release of Debian, patches for Japanese support have been merged into the main groff package. The old advisory said : Zenith Parse found a security problem in groff (the GNU version of troff). The pic command was vulnerable to a printf format attack which made it possible to circumvent the `-S last seen 2020-06-01 modified 2020-06-02 plugin id 14944 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14944 title Debian DSA-107-1 : jgroff - format print vulnerability
Redhat
| advisories |
|
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000428
- http://www.debian.org/security/2001/dsa-072
- http://www.debian.org/security/2002/dsa-107
- http://www.osvdb.org/1914
- http://www.redhat.com/support/errata/RHSA-2002-004.html
- http://www.securityfocus.com/archive/1/199706
- http://www.securityfocus.com/bid/3103
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6918