Vulnerabilities > CVE-2004-0806 - Unspecified vulnerability in Cdrtools Cdrecord 1.11/2.0
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Exploit-Db
description cdrecord $RSH exec() SUID Shell Creation. CVE-2004-0806. Local exploit for linux platform id EDB-ID:438 last seen 2016-01-31 modified 2004-09-11 published 2004-09-11 reporter I)ruid source https://www.exploit-db.com/download/438/ title cdrecord $RSH exec SUID Shell Creation description CDRecord's ReadCD - Local Root Privileges. CVE-2004-0806. Local exploit for linux platform id EDB-ID:469 last seen 2016-01-31 modified 2004-09-19 published 2004-09-19 reporter Max Vozeler source https://www.exploit-db.com/download/469/ title CDRecord's ReadCD - Local Root Privileges
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200409-18.NASL description The remote host is affected by the vulnerability described in GLSA-200409-18 (cdrtools: Local root vulnerability in cdrecord if set SUID root) Max Vozeler discovered that the cdrecord utility, when set to SUID root, fails to drop root privileges before executing a user-supplied RSH program. By default, Gentoo does not ship the cdrecord utility as SUID root and therefore is not vulnerable. However, many users (and CD-burning front-ends) set this manually after installation. Impact : A local attacker could specify a malicious program using the $RSH environment variable and have it executed by the SUID cdrecord, resulting in root privileges escalation. Workaround : As a workaround, you could remove the SUID rights from your cdrecord utility : # chmod a-s /usr/bin/cdrecord last seen 2020-06-01 modified 2020-06-02 plugin id 14746 published 2004-09-16 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14746 title GLSA-200409-18 : cdrtools: Local root vulnerability in cdrecord if set SUID root code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200409-18. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(14746); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-0806"); script_xref(name:"GLSA", value:"200409-18"); script_name(english:"GLSA-200409-18 : cdrtools: Local root vulnerability in cdrecord if set SUID root"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200409-18 (cdrtools: Local root vulnerability in cdrecord if set SUID root) Max Vozeler discovered that the cdrecord utility, when set to SUID root, fails to drop root privileges before executing a user-supplied RSH program. By default, Gentoo does not ship the cdrecord utility as SUID root and therefore is not vulnerable. However, many users (and CD-burning front-ends) set this manually after installation. Impact : A local attacker could specify a malicious program using the $RSH environment variable and have it executed by the SUID cdrecord, resulting in root privileges escalation. Workaround : As a workaround, you could remove the SUID rights from your cdrecord utility : # chmod a-s /usr/bin/cdrecord" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200409-18" ); script_set_attribute( attribute:"solution", value: "All cdrtools users should upgrade to the latest version: # emerge sync # emerge -pv '>=app-cdr/cdrtools-2.01_alpha37-r1' # emerge '>=app-cdr/cdrtools-2.01_alpha37-r1'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:cdrtools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/09/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/16"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-cdr/cdrtools", unaffected:make_list("ge 2.01_alpha37-r1", "rge 2.01_alpha28-r2"), vulnerable:make_list("le 2.01_alpha37"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cdrtools"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-091.NASL description Max Vozeler found that the cdrecord program, which is suid root, fails to drop euid=0 when it exec()s a program specified by the user through the $RSH environment variable. This can be abused by a local attacker to obtain root privileges. The updated packages are patched to fix the vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 14680 published 2004-09-08 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14680 title Mandrake Linux Security Advisory : cdrecord (MDKSA-2004:091) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2004:091. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14680); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-0806"); script_xref(name:"MDKSA", value:"2004:091"); script_name(english:"Mandrake Linux Security Advisory : cdrecord (MDKSA-2004:091)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Max Vozeler found that the cdrecord program, which is suid root, fails to drop euid=0 when it exec()s a program specified by the user through the $RSH environment variable. This can be abused by a local attacker to obtain root privileges. The updated packages are patched to fix the vulnerability." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cdrecord"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cdrecord-cdda2wav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:cdrecord-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mkisofs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2"); script_set_attribute(attribute:"patch_publication_date", value:"2004/09/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", reference:"cdrecord-2.01-0.a28.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"cdrecord-cdda2wav-2.01-0.a28.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"cdrecord-devel-2.01-0.a28.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"mkisofs-2.01-0.a28.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"cdrecord-2.01-0.a18.2.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"cdrecord-cdda2wav-2.01-0.a18.2.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"cdrecord-devel-2.01-0.a18.2.1.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"mkisofs-2.01-0.a18.2.1.92mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2004-297.NASL description Anyone who has manually suid /usr/bin/cdrecord should update to this version. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0806 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14701 published 2004-09-09 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14701 title Fedora Core 1 : cdrtools-2.01-0.a19.2.FC1.1 (2004-297) NASL family Fedora Local Security Checks NASL id FEDORA_2004-298.NASL description Anyone who has manually suid /usr/bin/cdrecord should update to this version. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0806 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14702 published 2004-09-09 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14702 title Fedora Core 2 : cdrtools-2.01-0.a27.4.FC2.3 (2004-298)
Oval
| accepted | 2013-04-29T04:22:23.934-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| definition_extensions |
| ||||||||
| description | cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:9805 | ||||||||
| status | accepted | ||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||
| title | cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges. | ||||||||
| version | 26 |
Statements
| contributor | Mark J Cox |
| lastmodified | 2006-08-30 |
| organization | Red Hat |
| statement | Not vulnerable. cdrecord is not shipped setuid and does not need to be made setuid with Red Hat Enterprise Linux 2.1, 3, or 4 packages. |
References
- ftp://patches.sgi.com/support/free/security/advisories/20060401-01-U
- ftp://patches.sgi.com/support/free/security/advisories/20060401-01-U
- http://seclists.org/lists/bugtraq/2004/Sep/0097.html
- http://seclists.org/lists/bugtraq/2004/Sep/0097.html
- http://secunia.com/advisories/12481/
- http://secunia.com/advisories/12481/
- http://secunia.com/advisories/19532
- http://secunia.com/advisories/19532
- http://securitytracker.com/id?1011091
- http://securitytracker.com/id?1011091
- http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-09/0108.html
- http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-09/0108.html
- http://www.kb.cert.org/vuls/id/700326
- http://www.kb.cert.org/vuls/id/700326
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:091
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:091
- http://www.securityfocus.org/bid/11075
- http://www.securityfocus.org/bid/11075
- https://bugzilla.fedora.us/show_bug.cgi?id=2058
- https://bugzilla.fedora.us/show_bug.cgi?id=2058
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17303
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17303
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9805
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9805