Vulnerabilities > CVE-2002-1392 - Unspecified vulnerability in Gert Doering Mgetty

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
local
low complexity
gert-doering
nessus

Summary

faxspool in mgetty before 1.1.29 uses a world-writable spool directory for outgoing faxes, which allows local users to modify fax transmission privileges.

Vulnerable Configurations

Part Description Count
Application
Gert_Doering
1

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-053.NASL
    descriptionTwo vulnerabilities were discovered in mgetty versions prior to 1.1.29. An internal buffer could be overflowed if the caller name reported by the modem, via Caller ID information, was too long. As well, the faxspool script that comes with mgetty used a simple permissions scheme to allow or deny fax transmission privileges. Because the spooling directory used for outgoing faxes was world-writable, this scheme was easily circumvented. Update : The installation of mgetty-sendfax on Mandrake Linux 8.2 relied on macros that are non-existent, which would result in fresh installs of mgetty-sendfax being unable to work. Updated packages for 8.2 correct this.
    last seen2020-06-01
    modified2020-06-02
    plugin id14037
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14037
    titleMandrake Linux Security Advisory : mgetty (MDKSA-2003:053-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:053. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14037);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2002-1391", "CVE-2002-1392");
      script_xref(name:"MDKSA", value:"2003:053");
      script_xref(name:"MDKSA", value:"2003:053-1");
    
      script_name(english:"Mandrake Linux Security Advisory : mgetty (MDKSA-2003:053-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two vulnerabilities were discovered in mgetty versions prior to
    1.1.29. An internal buffer could be overflowed if the caller name
    reported by the modem, via Caller ID information, was too long. As
    well, the faxspool script that comes with mgetty used a simple
    permissions scheme to allow or deny fax transmission privileges.
    Because the spooling directory used for outgoing faxes was
    world-writable, this scheme was easily circumvented.
    
    Update :
    
    The installation of mgetty-sendfax on Mandrake Linux 8.2 relied on
    macros that are non-existent, which would result in fresh installs of
    mgetty-sendfax being unable to work. Updated packages for 8.2 correct
    this."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mgetty");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mgetty-contrib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mgetty-sendfax");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mgetty-viewfax");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mgetty-voice");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/05/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"mgetty-1.1.30-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"mgetty-contrib-1.1.30-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"mgetty-sendfax-1.1.30-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"mgetty-viewfax-1.1.30-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"mgetty-voice-1.1.30-1.2mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"mgetty-1.1.30-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"mgetty-contrib-1.1.30-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"mgetty-sendfax-1.1.30-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"mgetty-viewfax-1.1.30-1.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"mgetty-voice-1.1.30-1.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2003-008.NASL
    descriptionUpdated Mgetty packages are now available to fix a possible buffer overflow and a permissions problem. Mgetty is a getty replacement for use with data and fax modems. Mgetty can be configured to run an external program to decide whether or not to answer an incoming call based on Caller ID information. Versions of Mgetty prior to 1.1.29 would overflow an internal buffer if the caller name reported by the modem was too long. Additionally, the faxspool script supplied with versions of Mgetty prior to 1.1.29 used a simple permissions scheme to allow or deny fax transmission privileges. This scheme was easily circumvented because the spooling directory used for outgoing faxes was world-writable. All users of Mgetty should upgrade to these errata packages, which contain Mgetty 1.1.30 and are not vulnerable to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id12349
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12349
    titleRHEL 2.1 : mgetty (RHSA-2003:008)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2003:008. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12349);
      script_version ("1.24");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2002-1391", "CVE-2002-1392");
      script_xref(name:"RHSA", value:"2003:008");
    
      script_name(english:"RHEL 2.1 : mgetty (RHSA-2003:008)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated Mgetty packages are now available to fix a possible buffer
    overflow and a permissions problem.
    
    Mgetty is a getty replacement for use with data and fax modems.
    
    Mgetty can be configured to run an external program to decide whether
    or not to answer an incoming call based on Caller ID information.
    Versions of Mgetty prior to 1.1.29 would overflow an internal buffer
    if the caller name reported by the modem was too long.
    
    Additionally, the faxspool script supplied with versions of Mgetty
    prior to 1.1.29 used a simple permissions scheme to allow or deny fax
    transmission privileges. This scheme was easily circumvented because
    the spooling directory used for outgoing faxes was world-writable.
    
    All users of Mgetty should upgrade to these errata packages, which
    contain Mgetty 1.1.30 and are not vulnerable to these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-1391"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-1392"
      );
      # http://search.alphanet.ch/cgi-bin/search.cgi?msgid=
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.alphanet.ch/~schaefer/cgi-bin/search.cgi?msgid="
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2003:008"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mgetty");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mgetty-sendfax");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mgetty-viewfax");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mgetty-voice");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2003/01/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/02/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2003:008";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mgetty-1.1.30-0.7")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mgetty-sendfax-1.1.30-0.7")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mgetty-viewfax-1.1.30-0.7")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mgetty-voice-1.1.30-0.7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mgetty / mgetty-sendfax / mgetty-viewfax / mgetty-voice");
      }
    }
    

Redhat

advisories
  • rhsa
    idRHSA-2003:008
  • rhsa
    idRHSA-2003:036