Vulnerabilities > CVE-2004-0233 - Local vulnerability in UTempter
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 | |
| Application | 2 | |
| OS | 2 |
Exploit-Db
| description | UTempter 0.5.x Multiple Local Vulnerabilities. CVE-2004-0233. Local exploit for linux platform |
| id | EDB-ID:24027 |
| last seen | 2016-02-02 |
| modified | 2004-04-19 |
| published | 2004-04-19 |
| reporter | Steve Grubb |
| source | https://www.exploit-db.com/download/24027/ |
| title | UTempter 0.5.x - Multiple Local Vulnerabilities |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200405-05.NASL description The remote host is affected by the vulnerability described in GLSA-200405-05 (Utempter symlink vulnerability) Utempter contains a vulnerability that may allow local users to overwrite arbitrary files via a symlink attack. Impact : This vulnerability may allow arbitrary files to be overwritten with root privileges. Workaround : There is no known workaround at this time. All users are advised to upgrade to the latest available version of utempter. last seen 2020-06-01 modified 2020-06-02 plugin id 14491 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14491 title GLSA-200405-05 : Utempter symlink vulnerability NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-031.NASL description Steve Grubb discovered two potential issues in the utempter program : 1) If the path to the device contained /../ or /./ or //, the program was not exiting as it should. It would be possible to use something like /dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked to another important file, programs that have root privileges that do no further validation can then overwrite whatever the symlink pointed to. 2) Several calls to strncpy without a manual termination of the string. This would most likely crash utempter. The updated packages are patched to correct these problems. Update : The second portion of the patch to address the manual termination of the string has been determined to be uneccessary, as well as reducing the length of utmp strings by one character. As such, it has been removed. last seen 2020-06-01 modified 2020-06-02 plugin id 14130 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14130 title Mandrake Linux Security Advisory : utempter (MDKSA-2004:031-1) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2004-110-01.NASL description New utempter packages are available for Slackware 9.1 and -current to fix a security issue. (Slackware 9.1 was the first version of Slackware to use the libutempter library, and earlier versions of Slackware are not affected by this issue) The utempter package provides a utility and shared library that allows terminal applications such as xterm and screen to update /var/run/utmp and /var/log/wtmp without requiring root privileges. Steve Grubb has identified an issue with utempter-0.5.2 where under certain circumstances an attacker could cause it to overwrite files through a symlink. This has been addressed by upgrading the utempter package to use Dmitry V. Levin last seen 2020-06-01 modified 2020-06-02 plugin id 18769 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18769 title Slackware 9.1 / current : utempter security update (SSA:2004-110-01) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-174.NASL description An updated utempter package that fixes a potential symlink vulnerability is now available. Utempter is a utility that allows terminal applications such as xterm and screen to update utmp and wtmp without requiring root privileges. Steve Grubb discovered a flaw in Utempter which allowed device names containing directory traversal sequences such as last seen 2020-06-01 modified 2020-06-02 plugin id 12490 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12490 title RHEL 2.1 / 3 : utempter (RHSA-2004:174)
Oval
accepted 2013-04-29T04:01:51.280-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651
description Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files. family unix id oval:org.mitre.oval:def:10115 status accepted submitted 2010-07-09T03:56:16-04:00 title Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files. version 27 accepted 2004-07-12T12:00:00.000-04:00 class vulnerability contributors name Jay Beale organization Bastille Linux description Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files. family unix id oval:org.mitre.oval:def:979 status accepted submitted 2004-06-10T12:00:00.000-04:00 title Utempter Directory Traversal Vulnerability version 3
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- http://security.gentoo.org/glsa/glsa-200405-05.xml
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000752.1-1
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:031
- http://www.redhat.com/support/errata/RHSA-2004-174.html
- http://www.redhat.com/support/errata/RHSA-2004-175.html
- http://www.securityfocus.com/bid/10178
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.404389
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15904
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10115
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A979