Vulnerabilities > CVE-2002-0989 - Unspecified vulnerability in ROB Flynn Gaim
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The URL handler in the manual browser option for Gaim before 0.59.1 allows remote attackers to execute arbitrary script via shell metacharacters in a link.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 9 |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2002-054.NASL description Versions of Gaim (an AOL instant message client) prior to 0.58 contain a buffer overflow in the Jabber plug-in module. As well, a vulnerability was discovered in the URL-handling code, where the last seen 2020-06-01 modified 2020-06-02 plugin id 13956 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13956 title Mandrake Linux Security Advisory : gaim (MDKSA-2002:054-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2002:054. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(13956); script_version ("1.24"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2002-0384", "CVE-2002-0989"); script_bugtraq_id(5406, 5574); script_xref(name:"MDKSA", value:"2002:054-1"); script_name(english:"Mandrake Linux Security Advisory : gaim (MDKSA-2002:054-1)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Versions of Gaim (an AOL instant message client) prior to 0.58 contain a buffer overflow in the Jabber plug-in module. As well, a vulnerability was discovered in the URL-handling code, where the 'manual' browser command passes an untrusted string to the shell without reliable quoting or escaping. This allows an attacker to execute arbitrary commands on the user's machine with the user's permissions. Those using the built-in browser commands are not vulnerable. Update : The 8.1 package had an incorrect dependency on perl. This package has been replaced with a proper package. Please note the differing md5 sums." ); script_set_attribute( attribute:"see_also", value:"http://gaim.sourceforge.net/ChangeLog" ); script_set_attribute(attribute:"solution", value:"Update the affected gaim package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gaim"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"patch_publication_date", value:"2002/09/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/08/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"gaim-0.59.1-1.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2002-191.NASL description Updated gaim packages are now available for Red Hat Linux Advanced Server. These updates fix a vulnerability in the default URL handler. Gaim is an all-in-one instant messaging client that lets you use a number of messaging protocols such as AIM, ICQ, and Yahoo, all at once. Versions of gaim prior to 0.59.1 contain a bug in the URL handler of the manual browser option. A link can be carefully crafted to contain an arbitrary shell script which will be executed if the user clicks on the link. Users of gaim should update to these errata packages containing gaim 0.59.1 which is not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 12323 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12323 title RHEL 2.1 : gaim (RHSA-2002:191) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2002:191. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12323); script_version ("1.23"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2002-0989"); script_xref(name:"RHSA", value:"2002:191"); script_name(english:"RHEL 2.1 : gaim (RHSA-2002:191)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated gaim packages are now available for Red Hat Linux Advanced Server. These updates fix a vulnerability in the default URL handler. Gaim is an all-in-one instant messaging client that lets you use a number of messaging protocols such as AIM, ICQ, and Yahoo, all at once. Versions of gaim prior to 0.59.1 contain a bug in the URL handler of the manual browser option. A link can be carefully crafted to contain an arbitrary shell script which will be executed if the user clicks on the link. Users of gaim should update to these errata packages containing gaim 0.59.1 which is not vulnerable to this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2002-0989" ); # http://gaim.sourceforge.net/ChangeLog script_set_attribute( attribute:"see_also", value:"http://www.pidgin.im/ChangeLog" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2002:191" ); script_set_attribute(attribute:"solution", value:"Update the affected gaim package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gaim"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/09/24"); script_set_attribute(attribute:"patch_publication_date", value:"2002/09/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2002:191"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"gaim-0.59.1-0.2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gaim"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-158.NASL description The developers of Gaim, an instant messenger client that combines several different networks, found a vulnerability in the hyperlink handling code. The last seen 2020-06-01 modified 2020-06-02 plugin id 14995 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14995 title Debian DSA-158-1 : gaim - arbitrary program execution code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-158. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(14995); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2002-0989"); script_bugtraq_id(5574); script_xref(name:"DSA", value:"158"); script_name(english:"Debian DSA-158-1 : gaim - arbitrary program execution"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "The developers of Gaim, an instant messenger client that combines several different networks, found a vulnerability in the hyperlink handling code. The 'Manual' browser command passes an untrusted string to the shell without escaping or reliable quoting, permitting an attacker to execute arbitrary commands on the users machine. Unfortunately, Gaim doesn't display the hyperlink before the user clicks on it. Users who use other inbuilt browser commands aren't vulnerable." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2002/dsa-158" ); script_set_attribute( attribute:"solution", value: "Upgrade the gaim package immediately. This problem has been fixed in version 0.58-2.2 for the current stable distribution (woody) and in version 0.59.1-2 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't ship the Gaim program. The fixed version of Gaim no longer passes the user's manual browser command to the shell. Commands which contain the %s in quotes will need to be amended, so they don't contain any quotes. The 'Manual' browser command can be edited in the 'General' pane of the 'Preferences' dialog, which can be accessed by clicking 'Options' from the login window, or 'Tools' and then 'Preferences' from the menu bar in the buddy list window." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:gaim"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2002/08/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/08/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"gaim", reference:"0.58-2.2")) flag++; if (deb_check(release:"3.0", prefix:"gaim-common", reference:"0.58-2.2")) flag++; if (deb_check(release:"3.0", prefix:"gaim-gnome", reference:"0.58-2.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Redhat
| advisories |
|
References
- ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SN-02:06.asc
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=72728
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000521
- http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:054
- http://gaim.sourceforge.net/ChangeLog
- http://marc.info/?l=bugtraq&m=103046442403404&w=2
- http://online.securityfocus.com/advisories/4471
- http://www.debian.org/security/2002/dsa-158
- http://www.iss.net/security_center/static/9978.php
- http://www.osvdb.org/5033
- http://www.redhat.com/support/errata/RHSA-2002-189.html
- http://www.redhat.com/support/errata/RHSA-2002-190.html
- http://www.redhat.com/support/errata/RHSA-2002-191.html
- http://www.redhat.com/support/errata/RHSA-2003-156.html
- http://www.securityfocus.com/bid/5574