Vulnerabilities > CVE-2004-0157 - Unspecified vulnerability in Xonix

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
xonix
nessus
NVD
Published: 2004-06-01
Updated: 2017-07-11

Summary

x11.c in xonix 1.4 and earlier uses the current working directory to find and execute the rmail program, which allows local users to execute arbitrary code by modifying the path to point to a malicious rmail program.

Vulnerable Configurations

Part Description Count
Application
Xonix
1

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_XONIX_141.NASL
    descriptionThe remote host is running an older version of Xonix. Xonix is a game. This version of Xonix calls an external program while retaining setgid privileges. An attacker, exploiting this flaw, would need local access. A successful attack would give the attacker the privileges of the 'games' group.
    last seen2016-09-26
    modified2011-10-03
    plugin id14281
    published2004-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=14281
    titleFreeBSD Xonix vulnerability
    code
    #%NASL_MIN_LEVEL 999999

# @DEPRECATED@
#
# This script has been deprecated as the VuXML entry has been 
# cancelled.
#
# Disabled on 2011/10/02.

#
# (C) Tenable Network Security
#
#
if ( ! defined_func("bn_random") ) exit(0);

include("compat.inc");

if(description)
{
 script_id(14281);
 script_bugtraq_id(10149);
 script_cve_id("CVE-2004-0157");
 script_version ("1.12");

 name["english"] = "FreeBSD Xonix vulnerability";
 
 script_name(english:name["english"]);
 
 script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch" );
 script_set_attribute(attribute:"description", value:
"The remote host is running an older version of Xonix.

Xonix is a game.

This version of Xonix calls an external program while retaining
setgid privileges.  An attacker, exploiting this flaw, would need
local access.  A successful attack would give the attacker the
privileges of the 'games' group." );
 script_set_attribute(attribute:"solution", value:
"http://www.vuxml.org/freebsd/6fd9a1e9-efd3-11d8-9837-000c41e2cdad.html" );
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");



 script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/17");
 script_cvs_date("Date: 2018/07/20  0:18:52");
 script_end_attributes();

 
 summary["english"] = "FreeBSD Xonix local exploit";
 script_summary(english:summary["english"]);
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 family["english"] = "FreeBSD Local Security Checks";
 script_family(english:family["english"]);
 
 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/FreeBSD/pkg_info");
 exit(0);
}


exit(0, "This plugin has been deprecated as the associated VuXML entry has been cancelled.");

include("freebsd_package.inc");


pkgs = get_kb_item("Host/FreeBSD/pkg_info");
package = egrep(pattern:"^xonix-", string:pkgs);
if ( package && pkg_cmp(pkg:package, reference:"xonix-1.4_1") < 0 )
        security_warning(0);
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-484.NASL
    descriptionSteve Kemp discovered a vulnerability in xonix, a game, where an external program was invoked while retaining setgid privileges. A local attacker could exploit this vulnerability to gain gid
    last seen2020-06-01
    modified2020-06-02
    plugin id15321
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15321
    titleDebian DSA-484-1 : xonix - failure to drop privileges
    code
    #%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-484. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(15321);
  script_version("1.18");
  script_cvs_date("Date: 2019/08/02 13:32:18");

  script_cve_id("CVE-2004-0157");
  script_bugtraq_id(10149);
  script_xref(name:"DSA", value:"484");

  script_name(english:"Debian DSA-484-1 : xonix - failure to drop privileges");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Steve Kemp discovered a vulnerability in xonix, a game, where an
external program was invoked while retaining setgid privileges. A
local attacker could exploit this vulnerability to gain gid 'games'."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2004/dsa-484"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"For the current stable distribution (woody) this problem will be fixed
in version 1.4-19woody1.

We recommend that you update your xonix package."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xonix");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2004/04/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"3.0", prefix:"xonix", reference:"1.4-19woody1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

References