Vulnerabilities > CVE-2004-0564
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Roaring Penguin pppoe (rp-ppoe), if installed or configured to run setuid root contrary to its design, allows local users to overwrite arbitrary files. NOTE: the developer has publicly disputed the claim that this is a vulnerability because pppoe "is NOT designed to run setuid-root." Therefore this identifier applies *only* to those configurations and installations under which pppoe is run setuid root despite the developer's warnings.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 | |
| OS | 12 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-557.NASL description Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system. last seen 2020-06-01 modified 2020-06-02 plugin id 15655 published 2004-11-10 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15655 title Debian DSA-557-1 : rp-pppoe - missing privilege dropping code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-557. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15655); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2004-0564"); script_xref(name:"DSA", value:"557"); script_name(english:"Debian DSA-557-1 : rp-pppoe - missing privilege dropping"); script_summary(english:"Checks dpkg output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-557" ); script_set_attribute( attribute:"solution", value: "Upgrade the pppoe package. For the stable distribution (woody) this problem has been fixed in version 3.3-1.2." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:pppoe"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:rp-pppoe"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/10/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/11/10"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"pppoe", reference:"3.3-1.2")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:deb_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-145.NASL description Max Vozeler discovered that when pppoe, part of the rp-pppoe package, is running setuid root, an attacker can overwrite any file on the system. Mandrakelinux does not install pppoe setuid, nor is it meant to be run setuid. Regardless, the packages have been patched to prevent this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 15918 published 2004-12-07 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15918 title Mandrake Linux Security Advisory : rp-pppoe (MDKSA-2004:145) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2004:145. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(15918); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-0564"); script_xref(name:"MDKSA", value:"2004:145"); script_name(english:"Mandrake Linux Security Advisory : rp-pppoe (MDKSA-2004:145)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Max Vozeler discovered that when pppoe, part of the rp-pppoe package, is running setuid root, an attacker can overwrite any file on the system. Mandrakelinux does not install pppoe setuid, nor is it meant to be run setuid. Regardless, the packages have been patched to prevent this problem." ); script_set_attribute( attribute:"solution", value:"Update the affected rp-pppoe and / or rp-pppoe-gui packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rp-pppoe"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rp-pppoe-gui"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2"); script_set_attribute(attribute:"patch_publication_date", value:"2004/12/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", reference:"rp-pppoe-3.5-3.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"rp-pppoe-gui-3.5-3.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"rp-pppoe-3.5-4.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"rp-pppoe-gui-3.5-4.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"rp-pppoe-3.5-3.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"rp-pppoe-gui-3.5-3.1.92mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://marc.info/?l=bugtraq&m=110247119200510&w=2
- http://marc.info/?l=bugtraq&m=110253341209450&w=2
- http://www.debian.org/security/2004/dsa-557
- http://www.fedoralegacy.org/updates/FC1/2005-11-14-FLSA_2005_152794__Updated_rp_pppoe_package_fixes_security_issue.html
- http://www.securityfocus.com/bid/11315
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17576