Vulnerabilities > CVE-2004-0784 - Unspecified vulnerability in ROB Flynn Gaim
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The smiley theme functionality in Gaim before 0.82 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of the tar file that is dragged to the smiley selector.
Vulnerable Configurations
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2004-278.NASL description 0.82 update contains many bug and security improvements. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14373 published 2004-08-26 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14373 title Fedora Core 1 : gaim-0.82-0.FC1 (2004-278) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-278. # include("compat.inc"); if (description) { script_id(14373); script_version ("1.21"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2004-0500", "CVE-2004-0754", "CVE-2004-0784", "CVE-2004-0785", "CVE-2004-2589"); script_xref(name:"FEDORA", value:"2004-278"); script_name(english:"Fedora Core 1 : gaim-0.82-0.FC1 (2004-278)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "0.82 update contains many bug and security improvements. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-August/000270.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ddb24056" ); script_set_attribute( attribute:"solution", value:"Update the affected gaim and / or gaim-debuginfo packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:gaim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:gaim-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 1.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC1", reference:"gaim-0.82-0.FC1")) flag++; if (rpm_check(release:"FC1", reference:"gaim-debuginfo-0.82-0.FC1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gaim / gaim-debuginfo"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-400.NASL description An updated gaim package that fixes several security issues is now available. Gaim is an instant messenger client that can handle multiple protocols. Buffer overflow bugs were found in the Gaim MSN protocol handler. In order to exploit these bugs, an attacker would have to perform a man in the middle attack between the MSN server and the vulnerable Gaim client. Such an attack could allow arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0500 to this issue. Buffer overflow bugs have been found in the Gaim URL decoder, local hostname resolver, and the RTF message parser. It is possible that a remote attacker could send carefully crafted data to a vulnerable client and lead to a crash or arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0785 to this issue. A shell escape bug has been found in the Gaim smiley theme file installation. When a user installs a smiley theme, which is contained within a tar file, the unarchiving of the data is done in an unsafe manner. An attacker could create a malicious smiley theme that would execute arbitrary commands if the theme was installed by the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0784 to this issue. An integer overflow bug has been found in the Gaim Groupware message receiver. It is possible that if a user connects to a malicious server, an attacker could send carefully crafted data which could lead to arbitrary code execution on the victims machine. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0754 to this issue. Users of Gaim are advised to upgrade to this updated package which contains Gaim version 0.82 and is not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14696 published 2004-09-09 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14696 title RHEL 3 : gaim (RHSA-2004:400) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200408-27.NASL description The remote host is affected by the vulnerability described in GLSA-200408-27 (Gaim: New vulnerabilities) Gaim fails to do proper bounds checking when: Handling MSN messages (partially fixed with GLSA 200408-12). Handling rich text format messages. Resolving local hostname. Receiving long URLs. Handling groupware messages. Allocating memory for webpages with fake content-length header. Furthermore Gaim fails to escape filenames when using drag and drop installation of smiley themes. Impact : These vulnerabilities could allow an attacker to crash Gaim or execute arbitrary code or commands with the permissions of the user running Gaim. Workaround : There is no known workaround at this time. All users are encouraged to upgrade to the latest available version of Gaim. last seen 2020-06-01 modified 2020-06-02 plugin id 14583 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14583 title GLSA-200408-27 : Gaim: New vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-110.NASL description More vulnerabilities have been discovered in the gaim instant messenger client. The vulnerabilities pertinent to version 0.75, which is the version shipped with Mandrakelinux 10.0, are: installing smiley themes could allow remote attackers to execute arbitrary commands via shell metacharacters in the filename of the tar file that is dragged to the smiley selector. There is also a buffer overflow in the way gaim handles receiving very long URLs. The provided packages have been patched to fix these problems. These issues, amongst others, have been fixed upstream in version 0.82. last seen 2020-06-01 modified 2020-06-02 plugin id 15546 published 2004-10-22 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15546 title Mandrake Linux Security Advisory : gaim (MDKSA-2004:110) NASL family Fedora Local Security Checks NASL id FEDORA_2004-279.NASL description 0.82 update contains many bug and security improvements. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14374 published 2004-08-26 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14374 title Fedora Core 2 : gaim-0.82-0.FC2 (2004-279) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_635BF5F426B711D99289000C41E2CDAD.NASL description The Gaim Security Issues page documents a problem with installing smiley themes from an untrusted source : To install a new smiley theme, a user can drag a tarball from a graphical file manager, or a hypertext link to one from a web browser. When a tarball is dragged, Gaim executes a shell command to untar it. However, it does not escape the filename before sending it to the shell. Thus, a specially crafted filename could execute arbitrary commands if the user could be convinced to drag a file into the smiley theme selector. last seen 2020-06-01 modified 2020-06-02 plugin id 18959 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18959 title FreeBSD : gaim -- malicious smiley themes (635bf5f4-26b7-11d9-9289-000c41e2cdad)
Oval
| accepted | 2013-04-29T04:00:15.966-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| definition_extensions |
| ||||||||
| description | The smiley theme functionality in Gaim before 0.82 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of the tar file that is dragged to the smiley selector. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:10008 | ||||||||
| status | accepted | ||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||
| title | The smiley theme functionality in Gaim before 0.82 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of the tar file that is dragged to the smiley selector. | ||||||||
| version | 26 |
Redhat
| advisories |
|
References
- http://gaim.sourceforge.net/security/?id=1
- http://www.fedoranews.org/updates/FEDORA-2004-278.shtml
- http://www.fedoranews.org/updates/FEDORA-2004-279.shtml
- http://www.gentoo.org/security/en/glsa/glsa-200408-27.xml
- http://www.redhat.com/support/errata/RHSA-2004-400.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17144
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10008