Vulnerabilities > CVE-2003-0173

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
xfsdump
sgi
nessus

Summary

xfsdq in xfsdump does not create quota information files securely, which allows local users to gain root privileges.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2003-047.NASL
    descriptionA vulnerability was discovered in xfsdump by Ethan Benson related to filesystem quotas on the XFS filesystem. When xfsdump runs xfsdq to save the quota information into a file at the root of the filesystem being dumped, the file is created in an unsafe manner. A new option to xfsdq was added when fixing this vulnerability:
    last seen2020-06-01
    modified2020-06-02
    plugin id14031
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14031
    titleMandrake Linux Security Advisory : xfsdump (MDKSA-2003:047)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2003:047. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(14031);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2003-0173");
      script_xref(name:"MDKSA", value:"2003:047");
    
      script_name(english:"Mandrake Linux Security Advisory : xfsdump (MDKSA-2003:047)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability was discovered in xfsdump by Ethan Benson related to
    filesystem quotas on the XFS filesystem. When xfsdump runs xfsdq to
    save the quota information into a file at the root of the filesystem
    being dumped, the file is created in an unsafe manner.
    
    A new option to xfsdq was added when fixing this vulnerability: '-f
    path'. This specifies an output file to use instead of the default
    output stream. If the file exists already, xfsdq will abort and if the
    file doesn't already exist, it will be created with more appropriate
    access permissions."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libdm0, libdm0-devel and / or xfsdump packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libdm0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libdm0-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:xfsdump");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"xfsdump-2.0.0-2.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"xfsdump-2.0.3-1.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"libdm0-2.0.5-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"libdm0-devel-2.0.5-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"xfsdump-2.0.3-1.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-283.NASL
    descriptionEthan Benson discovered a problem in xfsdump, that contains administrative utilities for the XFS filesystem. When filesystem quotas are enabled xfsdump runs xfsdq to save the quota information into a file at the root of the filesystem being dumped. The manner in which this file is created is unsafe. While fixing this, a new option
    last seen2020-06-01
    modified2020-06-02
    plugin id15120
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15120
    titleDebian DSA-283-1 : xfsdump - insecure file creation
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-283. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15120);
      script_version("1.22");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2003-0173");
      script_bugtraq_id(7321);
      script_xref(name:"CERT", value:"111673");
      script_xref(name:"DSA", value:"283");
    
      script_name(english:"Debian DSA-283-1 : xfsdump - insecure file creation");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Ethan Benson discovered a problem in xfsdump, that contains
    administrative utilities for the XFS filesystem. When filesystem
    quotas are enabled xfsdump runs xfsdq to save the quota information
    into a file at the root of the filesystem being dumped. The manner in
    which this file is created is unsafe.
    
    While fixing this, a new option '-f path' has been added to xfsdq(8)
    to specify an output file instead of using the standard output stream.
    This file is created by xfsdq and xfsdq will fail to run if it exists
    already. The file is also created with a more appropriate mode than
    whatever the umask happened to be when xfsdump(8) was run."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2003/dsa-283"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the xfsdump package immediately.
    
    For the stable distribution (woody) this problem has been fixed in
    version 2.0.1-2.
    
    The old stable distribution (potato) is not affected since it doesn't
    contain xfsdump packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xfsdump");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/04/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"xfsdump", reference:"2.0.1-2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");