Vulnerabilities > CVE-2002-0164 - Unspecified vulnerability in Caldera Openlinux Server and Openlinux Workstation

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
caldera
nessus

Summary

Vulnerability in the MIT-SHM extension of the X server on Linux (XFree86) 4.2.1 and earlier allows local users to read and write arbitrary shared memory, possibly to cause a denial of service or gain privileges.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2003-065.NASL
    descriptionUpdated XFree86 packages that resolve various security issues and additionally provide a number of bug fixes and enhancements are now available for Red Hat Enterprise Linux 2.1. XFree86 is an implementation of the X Window System, which provides the graphical user interface, video drivers, etc. for Linux systems. A number of security vulnerabilities have been found and fixed. In addition, various other bug fixes, driver updates, and other enhancements have been made. Security fixes : Xterm, provided as part of the XFree86 packages, provides an escape sequence for reporting the current window title. This escape sequence essentially takes the current title and places it directly on the command line. An attacker can craft an escape sequence that sets the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id12369
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12369
    titleRHEL 2.1 : XFree86 (RHSA-2003:065)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2003:065. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12369);
      script_version ("1.29");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2001-1409", "CVE-2002-0164", "CVE-2002-1510", "CVE-2003-0063", "CVE-2003-0071");
      script_xref(name:"RHSA", value:"2003:065");
    
      script_name(english:"RHEL 2.1 : XFree86 (RHSA-2003:065)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated XFree86 packages that resolve various security issues and
    additionally provide a number of bug fixes and enhancements are now
    available for Red Hat Enterprise Linux 2.1.
    
    XFree86 is an implementation of the X Window System, which provides
    the graphical user interface, video drivers, etc. for Linux systems.
    
    A number of security vulnerabilities have been found and fixed. In
    addition, various other bug fixes, driver updates, and other
    enhancements have been made.
    
    Security fixes :
    
    Xterm, provided as part of the XFree86 packages, provides an escape
    sequence for reporting the current window title. This escape sequence
    essentially takes the current title and places it directly on the
    command line. An attacker can craft an escape sequence that sets the
    victim's Xterm window title to an arbitrary command, and then reports
    it to the command line. Since it is not possible to embed a carriage
    return into the window title, the attacker would then have to convince
    the victim to press Enter for the shell to process the title as a
    command, although the attacker could craft other escape sequences that
    might convince the victim to do so. The Common Vulnerabilities and
    Exposures project (cve.mitre.org) has assigned the name CVE-2003-0063
    to this issue.
    
    It is possible to lock up versions of Xterm by sending an invalid DEC
    UDK escape sequence. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2003-0071 to this issue.
    
    The xdm display manager, with the authComplain variable set to false,
    allows arbitrary attackers to connect to the X server if the xdm auth
    directory does not exist. The Common Vulnerabilities and Exposures
    project (cve.mitre.org) has assigned the name CVE-2002-1510 to this
    issue.
    
    These erratum packages also contain an updated fix for CVE-2002-0164,
    a vulnerability in the MIT-SHM extension of the X server that allows
    local users to read and write arbitrary shared memory. The original
    fix did not cover the case where the X server is started from xdm.
    
    The X server was setting the /dev/dri directory permissions
    incorrectly, which resulted in the directory being world-writable. It
    now sets the directory permissions to a safe value. The Common
    Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
    name CVE-2001-1409 to this issue.
    
    Driver updates and other fixes :
    
    The Rage 128 video driver (r128) has been updated to provide 2D
    support for all previously unsupported ATI Rage 128 hardware. DRI 3D
    support should also work on the majority of Rage 128 hardware.
    
    Bad page size assumptions in the ATI Radeon video driver (radeon) have
    been fixed, allowing the driver to work properly on ia64 and other
    architectures where the page size is not fixed.
    
    A long-standing XFree86 bug has been fixed. This bug occurs when any
    form of system clock skew (such as NTP clock synchronization, APM
    suspend/resume cycling on laptops, daylight savings time changeover,
    or even manually setting the system clock forward or backward) could
    result in odd application behavior, mouse and keyboard lockups, or
    even an X server hang or crash.
    
    The S3 Savage driver (savage) has been updated to the upstream
    author's latest version '1.1.27t', which should fix numerous bugs
    reported by various users, as well as adding support for some newer
    savage hardware.
    
    Users are advised to upgrade to these updated packages, which contain
    XFree86 version 4.1.0 with patches correcting these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2001-1409"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-0164"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-1510"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0063"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0071"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2003:065"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-100dpi-fonts");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-75dpi-fonts");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-ISO8859-15-100dpi-fonts");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-ISO8859-15-75dpi-fonts");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-ISO8859-2-100dpi-fonts");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-ISO8859-2-75dpi-fonts");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-ISO8859-9-100dpi-fonts");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-ISO8859-9-75dpi-fonts");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-Xnest");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-Xvfb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-cyrillic-fonts");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-twm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-xdm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-xf86cfg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:XFree86-xfs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/03/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/06/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2003:065";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-100dpi-fonts-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-75dpi-fonts-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-ISO8859-15-100dpi-fonts-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-ISO8859-15-75dpi-fonts-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-ISO8859-2-100dpi-fonts-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-ISO8859-2-75dpi-fonts-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-ISO8859-9-100dpi-fonts-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-ISO8859-9-75dpi-fonts-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-Xnest-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-Xvfb-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-cyrillic-fonts-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-devel-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-doc-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-libs-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-tools-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-twm-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-xdm-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-xf86cfg-4.1.0-49.RHEL")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"XFree86-xfs-4.1.0-49.RHEL")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "XFree86 / XFree86-100dpi-fonts / XFree86-75dpi-fonts / etc");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-380.NASL
    description#use wml::fmt::verbatim Four vulnerabilities have been discovered in XFree86. - CAN-2003-0063- xterm window title reporting escape sequence can deceive user The xterm package provides a terminal escape sequence that reports the window title by injecting it into the input buffer of the terminal window, as if the user had typed it. An attacker can craft an escape sequence that sets the title of a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id15217
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15217
    titleDebian DSA-380-1 : xfree86 - buffer overflows, denial of service
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-380. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15217);
      script_version("1.26");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2002-0164", "CVE-2003-0063", "CVE-2003-0071", "CVE-2003-0079", "CVE-2003-0730");
      script_bugtraq_id(4396, 6940, 6950, 8514);
      script_xref(name:"DSA", value:"380");
    
      script_name(english:"Debian DSA-380-1 : xfree86 - buffer overflows, denial of service");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "#use wml::fmt::verbatim
    
    Four vulnerabilities have been discovered in XFree86.
    
      - CAN-2003-0063- xterm window title reporting escape
        sequence can deceive user
        The xterm package provides a terminal escape sequence
        that reports the window title by injecting it into the
        input buffer of the terminal window, as if the user had
        typed it. An attacker can craft an escape sequence that
        sets the title of a victim's xterm window to an
        arbitrary string (such as a shell command) and then
        reports that title. If the victim is at a shell prompt
        when this is done, the injected command will appear on
        the command line, ready to be run. Since it is not
        possible to embed a carriage return in the window title,
        the attacker would have to convince the victim to press
        Enter (or rely upon the victim's careless or confusion)
        for the shell or other interactive process to interpret
        the window title as user input. It is conceivable that
        the attacker could craft other escape sequences that
        might convince the victim to accept the injected input,
        however. The Common Vulnerabilities and Exposures
        project at cve.mitre.org has assigned the name
        CAN-2003-0063 to this issue.
    
      To determine whether your version of xterm is vulnerable to abuse of
      the window title reporting feature, run the following command at a
      shell prompt from within an xterm window :
    
        echo -e '\e[21t'
    
      (The terminal bell may ring, and the window title may be prefixed
      with an 'l'.)
    
      This flaw is exploitable by anything that can send output to a
      terminal window, such as a text document. The xterm user has to take
      action to cause the escape sequence to be sent, however (such as by
      viewing a malicious text document with the 'cat' command). Whether
      you are likely to be exposed to it depends on how you use xterm.
      Consider the following :
    
        echo -e '\e]2;s && echo rm -rf *\a' > /tmp/sploit echo -e '\e[21t'
        >> /tmp/sploit cat /tmp/sploit
    
      Debian has resolved this problem by disabling the window title
      reporting escape sequence in xterm; it is understood but ignored.
      The escape sequence to set the window title has not been disabled.
    
      A future release of the xterm package will have a configuration
      option to permit the user to turn the window title reporting feature
      back on, but it will default off.
    
      - CAN-2003-0071- xterm susceptible to DEC UDK escape
        sequence denial-of-service attack
    
        The xterm package, since it emulates DEC VT-series text
        terminals, emulates a feature of DEC VT terminals known
        as 'User-Defined Keys' (UDK for short). There is a bug
        in xterm's handling of DEC UDK escape sequences,
        however, and an ill-formed one can cause the xterm
        process to enter a tight loop. This causes the process
        to 'spin', consuming CPU cycles uselessly, and refusing
        to handle signals (such as efforts to kill the process
        or close the window).
    
      To determine whether your version of xterm is vulnerable to this
      attack, run the following command at a shell prompt from within a
      'sacrificial' xterm window (i.e., one that doesn't have anything in
      the scrollback buffer you might need to see later) :
    
        echo -e '\eP0;0|0A/17\x9c'
    
      This flaw is exploitable by anything that can send output to a
      terminal window, such as a text document. The xterm user has to take
      action to cause the escape sequence to be sent, however (such as by
      viewing a malicious text document with the 'cat' command). Whether
      you are likely to be exposed to it depends on how you use xterm.
    
      Debian has resolved this problem by backporting an upstream fix to
      XFree86 4.1.0.
    
      - CAN-2002-0164- flaw in X server's MIT-SHM extension
        permits user owning X session to read and write
        arbitrary shared memory segments
    
        Most X servers descended from the MIT/X Consortium/X.Org
        Sample Implementation, including XFree86's X servers,
        support an extension to the X protocol called MIT-SHM,
        which enables X clients running on the same host as the
        X server to operate more quickly and efficiently by
        taking advantage of an operating system feature called
        shared memory where it is available. The Linux kernel,
        for example, supports shared memory.
    
      Because the X server runs with elevated privileges, the operating
      system's built-in access control mechanisms are ineffective to
      police the X server's usage of segments of shared memory. The X
      server has to implement its own access control. This was imperfectly
      done in previous releases of XFree86 (and the MIT/X Consortium/X.Org
      Sample Implementation before it), leaving opportunities for
      malicious X clients to read and alter shared memory segments to
      which they should not have access. The Common Vulnerabilities and
      Exposures project at cve.mitre.org has assigned the name
      CAN-2002-0164 to this issue.
    
      Debian's XFree86 4.1.0-16 packages shipped with an incomplete fix
      for the this flaw, only enforcing proper access control for X
      servers that were not started by a display manager (e.g., xdm). This
      update resolves that problem.
    
      The Debian Project knows of no exploits for this vulnerability. A
      malicious X client that abused the MIT-SHM extension could
      conceivably be written however, and run (deliberately or
      unwittingly) by a user able to run an X server on a host. The impact
      of this flaw depends on how shared memory is used on the system. See
      the ipcs(8) manual page for more information.
    
      Debian has resolved this problem by backporting an upstream fix to
      XFree86 4.1.0.
    
      - CAN-2003-0730- multiple integer overflows in the font
        libraries for XFree86 allow local or remote attackers to
        cause a denial of service or execute arbitrary code via
        heap-based and stack-based buffer overflow attacks
    
        Security researcher 'blexim' wrote [paraphrased] :
    
        I have identified several bugs in the font libraries of the
        current version of the XFree86 source code. These bugs could
        potentially lead to the execution of arbitrary code by a remote
        user in any process which calls the functions in question. The
        functions are related to the transfer and enumeration of fonts
        from font servers to clients, limiting the range of the exposure
        caused by these bugs.
    
        Specifically, several sizing variables passed from a font server
        to a client are not adequately checked, causing calculations on
        them to result in erroneous values. These erroneous calculations
        can lead to buffers on the heap and stack overflowing, potentially
        leading to arbitrary code execution. As stated before, the risk is
        limited by the fact that only clients can be affected by these
        bugs, but in some (non-default) configurations, both xfs and the X
        server can act as clients to remote font servers. In these
        configurations, both xfs and the X server could be potentially
        compromised.
    
      The Common Vulnerabilities and Exposures project at cve.mitre.org
      has assigned the name CAN-2003-0730 to this issue.
    
      The Debian Project knows of no exploits for this vulnerability. By
      default in Debian, X servers are configured to listen only to a
      locally-running font server, which is not even used if the xfs
      package is not installed. The Debian default configuration of xfs
      uses only font directories on the local host, and does not attempt
      to connect to any external font servers.
    
      Debian has resolved this problem by backporting an upstream fix to
      XFree86 4.1.0.
    
    All of the above problems also affect the xfree86v3 packages (in the
    case of the first two flaws, the xterm source code contains the flaws,
    but no xterm package is produced). Due to resource limitations and a
    lack of upstream support for this legacy code, Debian is unable to
    continue supporting version 3.3.6 of XFree86. To avoid exposure to the
    latter two flaws in this advisory, we recommend that you remove the
    following packages if you have them installed :
    
      - xserver-3dlabs
      - xserver-8514
    
      - xserver-agx
    
      - xserver-common-v3
    
      - xserver-fbdev
    
      - xserver-i128
    
      - xserver-mach32
    
      - xserver-mach64
    
      - xserver-mach8
    
      - xserver-mono
    
      - xserver-p9000
    
      - xserver-s3
    
      - xserver-s3v
    
      - xserver-svga
    
      - xserver-tga
    
      - xserver-vga16
    
      - xserver-w32
    
    (You may also wish to remove the xext, xlib6, and xlib6-altdev
    packages, as support for them is being terminated along with the rest
    of the XFree86 3.3.6 packages, though they are not affected by the
    flaws in this advisory.)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2003/dsa-380"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "For the stable distribution (woody) these problems have been fixed in
    version 4.1.0-16woody1.
    
    We recommend that you update your xfree86 package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xfree86");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/09/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/06/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"lbxproxy", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libdps-dev", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libdps1", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libdps1-dbg", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libxaw6", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libxaw6-dbg", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libxaw6-dev", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libxaw7", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libxaw7-dbg", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"libxaw7-dev", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"proxymngr", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"twm", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"x-window-system", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"x-window-system-core", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xbase-clients", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xdm", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xfonts-100dpi", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xfonts-100dpi-transcoded", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xfonts-75dpi", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xfonts-75dpi-transcoded", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xfonts-base", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xfonts-base-transcoded", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xfonts-cyrillic", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xfonts-pex", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xfonts-scalable", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xfree86-common", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xfs", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xfwp", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xlib6g", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xlib6g-dev", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xlibmesa-dev", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xlibmesa3", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xlibmesa3-dbg", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xlibosmesa-dev", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xlibosmesa3", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xlibosmesa3-dbg", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xlibs", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xlibs-dbg", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xlibs-dev", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xlibs-pic", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xmh", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xnest", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xprt", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xserver-common", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xserver-xfree86", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xspecs", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xterm", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xutils", reference:"4.1.0-16woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"xvfb", reference:"4.1.0-16woody1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idOPENSERVER_OVERFLOWS.NASL
    descriptionAccording to its telnet banner, the remote host is a SCO Unix server running OpenServer version 5.0.5, 5.0.6, or 5.0.7. Such versions are vulnerable to two distinct exploits. Namely, - Xsco can be locally exploited by any valid user in order to escalate their privileges to
    last seen2020-06-01
    modified2020-06-02
    plugin id11895
    published2003-10-16
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11895
    titleSCO OpenServer Multiple Local Privilege Escalation Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if(description) {
     script_id(11895);
     script_version ("1.21");
     script_cve_id("CVE-2002-0158", "CVE-2002-0164");
     script_bugtraq_id(4396, 4985);
    
     script_name(english:"SCO OpenServer Multiple Local Privilege Escalation Vulnerabilities");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote server is affected by multiple local privilege escalation
    vulnerabilities." );
     script_set_attribute(attribute:"description", value:
    "According to its telnet banner, the remote host is a SCO Unix server
    running OpenServer version 5.0.5, 5.0.6, or 5.0.7.  Such versions are
    vulnerable to two distinct exploits.  Namely,
    
      - Xsco can be locally exploited by any valid user in
        order to escalate their privileges to 'root'.  The bug 
        is due to improper input handling when running the 
        command line switch '-co'.
    
      - There is a vulnerability in the MIT-SHM extension within
        all X servers that are running as root.  Any user with 
        local X access can exploit the MIT-SHM extension and 
        gain read/write access to any shared memory segment on 
        the system." );
     script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=101776858410652&w=2" );
     script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=103547625009363&w=2" );
     script_set_attribute(attribute:"see_also", value:"ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.26" );
     script_set_attribute(attribute:"solution", value:
    "Install the patched binaries referenced in the vendor's advisory." );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"plugin_publication_date", value: "2003/10/16");
     script_set_attribute(attribute:"vuln_publication_date", value: "2002/03/15");
     script_cvs_date("Date: 2018/11/15 20:50:23");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_end_attributes();
    
    
     script_summary(english:"Checks the remote SCO OpenServer");
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
     script_family(english:"Misc.");
     script_dependencie("find_service1.nasl");
     script_require_ports("Services/telnet", 23);
     exit(0);
    }
    
    
    
    
    # start script
    
    # kind of a hokey way to find the bug...but, both bugs are local...
    
    include ("telnet_func.inc");
    
    port = get_kb_item("Services/telnet");
    if (!port) port=23;
    r = get_telnet_banner(port:port); 
    if (egrep(pattern:".*SCO OpenServer\(TM\) Release.*5\.0\.[5-7].*", string:r)) security_hole(0);
    

Redhat

advisories
rhsa
idRHSA-2003:067