Vulnerabilities > CVE-2003-0136 - Unspecified vulnerability in Astart Technologies Lprng
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
psbanner in the LPRng package allows local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 4 |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-150.NASL description Updated LPRng packages resolving a temporary file vulnerability are now available. LPRng is a print spooler. LPRng includes a program, psbanner, that can be used to produce Postscript banner pages to separate print jobs. A vulnerability has been found in psbanner, which creates in an insecure manner a temporary file with a known filename. An attacker could create a symbolic link and cause arbitrary files to be written as the lp user. Note: psbanner is not used by the default Red Hat Enterprise Linux LPRng configuration. Users that have configured LPRng to use psbanner should install these updated packages, which contain a patch so that psbanner does not create the temporary file. last seen 2020-06-01 modified 2020-06-02 plugin id 12391 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12391 title RHEL 2.1 : LPRng (RHSA-2003:150) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:150. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12391); script_version ("1.27"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-0136"); script_xref(name:"RHSA", value:"2003:150"); script_name(english:"RHEL 2.1 : LPRng (RHSA-2003:150)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated LPRng packages resolving a temporary file vulnerability are now available. LPRng is a print spooler. LPRng includes a program, psbanner, that can be used to produce Postscript banner pages to separate print jobs. A vulnerability has been found in psbanner, which creates in an insecure manner a temporary file with a known filename. An attacker could create a symbolic link and cause arbitrary files to be written as the lp user. Note: psbanner is not used by the default Red Hat Enterprise Linux LPRng configuration. Users that have configured LPRng to use psbanner should install these updated packages, which contain a patch so that psbanner does not create the temporary file." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0136" ); # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=188366 script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=188366" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:150" ); script_set_attribute(attribute:"solution", value:"Update the affected LPRng package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:LPRng"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/05/05"); script_set_attribute(attribute:"patch_publication_date", value:"2003/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:150"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"LPRng-3.7.4-28.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "LPRng"); } }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-060.NASL description Karol Lewandowski discovered a problem with psbanner, a printer filter that creates a PostScript format banner. psbanner creates a temporary file for debugging purposes when it is configured as a filter, and does not check whether or not this file already exists or is a symlink. The filter will overwrite this file, or the file it is pointing to (if it is a symlink) with its current environment and called arguments with the user id that LPRng is running as. last seen 2020-06-01 modified 2020-06-02 plugin id 14043 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14043 title Mandrake Linux Security Advisory : LPRng (MDKSA-2003:060) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:060. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14043); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2003-0136"); script_xref(name:"MDKSA", value:"2003:060"); script_name(english:"Mandrake Linux Security Advisory : LPRng (MDKSA-2003:060)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Karol Lewandowski discovered a problem with psbanner, a printer filter that creates a PostScript format banner. psbanner creates a temporary file for debugging purposes when it is configured as a filter, and does not check whether or not this file already exists or is a symlink. The filter will overwrite this file, or the file it is pointing to (if it is a symlink) with its current environment and called arguments with the user id that LPRng is running as." ); script_set_attribute(attribute:"solution", value:"Update the affected LPRng package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:LPRng"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/05/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"LPRng-3.8.6-2.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"LPRng-3.8.12-2.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-285.NASL description Karol Lewandowski discovered that psbanner, a printer filter that creates a PostScript format banner and is part of LPRng, insecurely creates a temporary file for debugging purpose when it is configured as filter. The program does not check whether this file already exists or is linked to another place, psbanner writes its current environment and called arguments to the file unconditionally with the user id daemon. last seen 2020-06-01 modified 2020-06-02 plugin id 15122 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15122 title Debian DSA-285-1 : lprng - insecure temporary file code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-285. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15122); script_version("1.22"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0136"); script_bugtraq_id(7334); script_xref(name:"DSA", value:"285"); script_name(english:"Debian DSA-285-1 : lprng - insecure temporary file"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Karol Lewandowski discovered that psbanner, a printer filter that creates a PostScript format banner and is part of LPRng, insecurely creates a temporary file for debugging purpose when it is configured as filter. The program does not check whether this file already exists or is linked to another place, psbanner writes its current environment and called arguments to the file unconditionally with the user id daemon." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-285" ); script_set_attribute( attribute:"solution", value: "Upgrade the lprng package. For the stable distribution (woody) this problem has been fixed in version 3.8.10-1.2. The old stable distribution (potato) is not affected by this problem." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:lprng"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/04/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"lprng", reference:"3.8.10-1.2")) flag++; if (deb_check(release:"3.0", prefix:"lprng-doc", reference:"3.8.10-1.2")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:deb_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Oval
| accepted | 2010-09-20T04:00:24.159-04:00 | ||||||||||||||||
| class | vulnerability | ||||||||||||||||
| contributors |
| ||||||||||||||||
| description | psbanner in the LPRng package allows local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file. | ||||||||||||||||
| family | unix | ||||||||||||||||
| id | oval:org.mitre.oval:def:423 | ||||||||||||||||
| status | accepted | ||||||||||||||||
| submitted | 2003-08-17T12:00:00.000-04:00 | ||||||||||||||||
| title | LPRng Symbolic Link Attack Vulnerability | ||||||||||||||||
| version | 38 |
Redhat
| advisories |
|