Vulnerabilities > CVE-2001-1331
Attack vector
LOCAL Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
mandb in the man-db package before 2.3.16-3 allows local users to overwrite arbitrary files via the command line options (1) -u or (2) -c, which do not drop privileges and follow symlinks.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| OS | 1 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-059.NASL description Luki R. reported a bug in man-db: it did not handle nested calls ofdrop_effective_privs() and regain_effective_privs() correctly which would cause it to regain privileges too early. This could be abused to make man create files as user man. last seen 2020-06-01 modified 2020-06-02 plugin id 14896 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14896 title Debian DSA-059-1 : man-db - symlink attack code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-059. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14896); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:16"); script_cve_id("CVE-2001-1331"); script_bugtraq_id(2720, 2815); script_xref(name:"DSA", value:"059"); script_name(english:"Debian DSA-059-1 : man-db - symlink attack"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Luki R. reported a bug in man-db: it did not handle nested calls ofdrop_effective_privs() and regain_effective_privs() correctly which would cause it to regain privileges too early. This could be abused to make man create files as user man." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2001/dsa-059" ); script_set_attribute( attribute:"solution", value: "This has been fixed in version 2.3.16-4, and we recommend that you upgrade your man-db package immediately. If you use suidmanager you can also use that to make sure man and mandb are not installed suid which protects you from this problem. This can be done with the following commands: suidregister /usr/lib/man-db/man root root 0755 suidregister /usr/lib/man-db/mandb root root 0755 Of course even when using suidmanager an upgrade is still strongly recommended." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:man-db"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"patch_publication_date", value:"2001/06/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"man-db", reference:"2.3.16-4")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:deb_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-056.NASL description Ethan Benson found a bug in man-db packages as distributed in Debian GNU/Linux 2.2. man-db includes a mandb tool which is used to build an index of the manual pages installed on a system. When the -u or -c option were given on the command-line to tell it to write its database to a different location it failed to properly drop privileges before creating a temporary file. This makes it possible for an attacker to do a standard symlink attack to trick mandb into overwriting any file that is writable by uid man, which includes the man and mandb binaries. last seen 2020-06-01 modified 2020-06-02 plugin id 14893 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14893 title Debian DSA-056-1 : man-db - local file overwrite code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-056. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14893); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:16"); script_cve_id("CVE-2001-1331"); script_bugtraq_id(2720); script_xref(name:"DSA", value:"056"); script_name(english:"Debian DSA-056-1 : man-db - local file overwrite"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Ethan Benson found a bug in man-db packages as distributed in Debian GNU/Linux 2.2. man-db includes a mandb tool which is used to build an index of the manual pages installed on a system. When the -u or -c option were given on the command-line to tell it to write its database to a different location it failed to properly drop privileges before creating a temporary file. This makes it possible for an attacker to do a standard symlink attack to trick mandb into overwriting any file that is writable by uid man, which includes the man and mandb binaries." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2001/dsa-056" ); script_set_attribute( attribute:"solution", value: "This has been fixed in version 2.3.16-3, and we recommend that you upgrade your man-db package immediately. If you use suidmanager you can also use that to make sure man and mandb are not installed suid which protects you from this problem. This can be done with the following commands: suidregister /usr/lib/man-db/man root root 0755 suidregister /usr/lib/man-db/mandb root root 0755 Of course even when using suidmanager an upgrade is still strongly recommended." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:man-db"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"patch_publication_date", value:"2001/05/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"man-db", reference:"2.3.16-3")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:deb_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");