Vulnerabilities > CVE-2001-1077 - Buffer Overflow vulnerability in Rxvt 2.6.2

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
rxvt
nessus
exploit available
NVD
Published: 2001-06-15
Updated: 2017-12-19

Summary

Buffer overflow in tt_printf function of rxvt 2.6.2 allows local users to gain privileges via a long (1) -T or (2) -name argument.

Vulnerable Configurations

Part Description Count
Application
Rxvt
1

Exploit-Db

descriptionRxvt 2.6.1/2.6.2 Buffer Overflow Vulnerability. CVE-2001-1077. Local exploit for linux platform
idEDB-ID:20928
last seen2016-02-02
modified2001-06-15
published2001-06-15
reporterMasterSecuritY
sourcehttps://www.exploit-db.com/download/20928/
titleRxvt 2.6.1/2.6.2 - Buffer Overflow Vulnerability

Nessus

NASL familyDebian Local Security Checks
NASL idDEBIAN_DSA-062.NASL
descriptionSamuel Dralet reported on bugtraq that version 2.6.2 of rxvt (a VT102 terminal emulator for X) have a buffer overflow in thett_printf() function. A local user could abuse this making rxvt print a special string using that function, for example by using the -T or -name command-line options. That string would cause a stack overflow and contain code which rxvt will execute. Since rxvt is installed sgid utmp an attacker could use this to gain utmp which would allow them to modify the utmp file.
last seen2020-06-01
modified2020-06-02
plugin id14899
published2004-09-29
reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/14899
titleDebian DSA-062-1 : rxvt - buffer overflow
code
#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-062. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(14899);
  script_version("1.18");
  script_cvs_date("Date: 2019/08/02 13:32:16");

  script_cve_id("CVE-2001-1077");
  script_bugtraq_id(2878);
  script_xref(name:"DSA", value:"062");

  script_name(english:"Debian DSA-062-1 : rxvt - buffer overflow");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Samuel Dralet reported on bugtraq that version 2.6.2 of rxvt (a VT102
 terminal emulator for X) have a buffer overflow in thett_printf()
 function. A local user could abuse this making rxvt print a special
 string using that function, for example by using the -T or -name
 command-line options. That string would cause a stack overflow and
 contain code which rxvt will execute.

Since rxvt is installed sgid utmp an attacker could use this to gain
utmp which would allow them to modify the utmp file."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2001/dsa-062"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"This has been fixed in version 2.6.2-2.1, and we recommend that you
upgrade your rxvt package."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:rxvt");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");

  script_set_attribute(attribute:"patch_publication_date", value:"2001/06/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"2.2", prefix:"rxvt", reference:"2.6.2-2.1")) flag++;
if (deb_check(release:"2.2", prefix:"rxvt-ml", reference:"2.6.2-2.1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

References