Vulnerabilities > CVE-2004-0975

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
local
low complexity
mandrakesoft
openssl
gentoo
nessus

Summary

The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2004-147.NASL
    descriptionThe Trustix developers found that the der_chop script, included in the openssl package, created temporary files insecurely. This could allow local users to overwrite files using a symlink attack. The updated packages have been patched to prevent this problem.
    last seen2020-06-01
    modified2020-06-02
    plugin id15920
    published2004-12-07
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15920
    titleMandrake Linux Security Advisory : openssl (MDKSA-2004:147)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2004:147. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15920);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:47");
    
      script_cve_id("CVE-2004-0975");
      script_xref(name:"MDKSA", value:"2004:147");
    
      script_name(english:"Mandrake Linux Security Advisory : openssl (MDKSA-2004:147)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The Trustix developers found that the der_chop script, included in the
    openssl package, created temporary files insecurely. This could allow
    local users to overwrite files using a symlink attack.
    
    The updated packages have been patched to prevent this problem."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64openssl0.9.7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64openssl0.9.7-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64openssl0.9.7-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libopenssl0.9.7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libopenssl0.9.7-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libopenssl0.9.7-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openssl");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/12/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/07");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64openssl0.9.7-0.9.7c-3.1.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64openssl0.9.7-devel-0.9.7c-3.1.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64openssl0.9.7-static-devel-0.9.7c-3.1.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libopenssl0.9.7-0.9.7c-3.1.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libopenssl0.9.7-devel-0.9.7c-3.1.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libopenssl0.9.7-static-devel-0.9.7c-3.1.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"openssl-0.9.7c-3.1.100mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64openssl0.9.7-0.9.7d-1.1.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64openssl0.9.7-devel-0.9.7d-1.1.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64openssl0.9.7-static-devel-0.9.7d-1.1.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libopenssl0.9.7-0.9.7d-1.1.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libopenssl0.9.7-devel-0.9.7d-1.1.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libopenssl0.9.7-static-devel-0.9.7d-1.1.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"openssl-0.9.7d-1.1.101mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"lib64openssl0.9.7-0.9.7b-5.1.92mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"lib64openssl0.9.7-devel-0.9.7b-5.1.92mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"lib64openssl0.9.7-static-devel-0.9.7b-5.1.92mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"libopenssl0.9.7-0.9.7b-5.1.92mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"libopenssl0.9.7-devel-0.9.7b-5.1.92mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"libopenssl0.9.7-static-devel-0.9.7b-5.1.92mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.2", reference:"openssl-0.9.7b-5.1.92mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
      else security_note(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyWeb Servers
    NASL idOPENSSL_0_9_7F.NASL
    descriptionAccording to its banner, the remote server is running a version of OpenSSL that is earlier than 0.9.7f. The der_chop script that is shipped with these versions allows a malicious user to overwrite arbitrary files. Note that this was fixed in the 0.9.6 CVS but no new version was published in the 0.9.6 branch.
    last seen2020-06-01
    modified2020-06-02
    plugin id17754
    published2012-01-04
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17754
    titleOpenSSL < 0.9.7f Insecure Temporary File Creation
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17754);
      script_version("1.7");
      script_cvs_date("Date: 2018/11/15 20:50:25");
    
      script_cve_id("CVE-2004-0975");
      script_bugtraq_id(11293);
    
      script_name(english:"OpenSSL < 0.9.7f Insecure Temporary File Creation");
      script_summary(english:"Does a banner check");
    
      script_set_attribute(attribute:"synopsis", value:
    "Arbitrary files could be overwritten on the remote server.");
    
      script_set_attribute(attribute:"description", value:
    "According to its banner, the remote server is running a version of 
    OpenSSL that is earlier than 0.9.7f. 
    
    The der_chop script that is shipped with these versions allows a
    malicious user to overwrite arbitrary files. 
    
    Note that this was fixed in the 0.9.6 CVS but no new version was
    published in the 0.9.6 branch.");
      script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/vulnerabilities.html#2004-0975");
      script_set_attribute(attribute:"solution", value:"Upgrade to OpenSSL 0.9.7f or later.");
     script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/09/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/03/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/04");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
    
      script_dependencies("openssl_version.nasl");
      script_require_keys("openssl/port");
    
      exit(0);
    }
    
    include("openssl_version.inc");
    
    openssl_check_version(fixed:'0.9.7f', severity:SECURITY_NOTE);
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-476.NASL
    descriptionUpdated OpenSSL packages that fix security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Colin Percival reported a cache timing attack that could allow a malicious local user to gain portions of cryptographic keys. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-0109 to the issue. The OpenSSL library has been patched to add a new fixed-window mod_exp implementation as default for RSA, DSA, and DH private-key operations. This patch is designed to mitigate cache timing and potentially related attacks. A flaw was found in the way the der_chop script creates temporary files. It is possible that a malicious local user could cause der_chop to overwrite files (CVE-2004-0975). The der_chop script was deprecated and has been removed from these updated packages. Red Hat Enterprise Linux 4 did not ship der_chop and is therefore not vulnerable to this issue. Users are advised to update to these erratum packages which contain patches to correct these issues. Please note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system.
    last seen2020-06-01
    modified2020-06-02
    plugin id21830
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21830
    titleCentOS 3 / 4 : openssl (CESA-2005:476)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200411-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200411-15 (OpenSSL, Groff: Insecure tempfile handling) groffer and the der_chop script create temporary files in world-writeable directories with predictable names. Impact : A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When groffer or der_chop is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id15649
    published2004-11-08
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15649
    titleGLSA-200411-15 : OpenSSL, Groff: Insecure tempfile handling
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-603.NASL
    descriptionTrustix developers discovered insecure temporary file creation in a supplemental script (der_chop) of the openssl package which may allow local users to overwrite files via a symlink attack.
    last seen2020-06-01
    modified2020-06-02
    plugin id15893
    published2004-12-01
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15893
    titleDebian DSA-603-1 : openssl - insecure temporary file
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-476.NASL
    descriptionUpdated OpenSSL packages that fix security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Colin Percival reported a cache timing attack that could allow a malicious local user to gain portions of cryptographic keys. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-0109 to the issue. The OpenSSL library has been patched to add a new fixed-window mod_exp implementation as default for RSA, DSA, and DH private-key operations. This patch is designed to mitigate cache timing and potentially related attacks. A flaw was found in the way the der_chop script creates temporary files. It is possible that a malicious local user could cause der_chop to overwrite files (CVE-2004-0975). The der_chop script was deprecated and has been removed from these updated packages. Red Hat Enterprise Linux 4 did not ship der_chop and is therefore not vulnerable to this issue. Users are advised to update to these erratum packages which contain patches to correct these issues. Please note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system.
    last seen2020-06-01
    modified2020-06-02
    plugin id18409
    published2005-06-02
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18409
    titleRHEL 2.1 / 3 / 4 : openssl (RHSA-2005:476)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-24-1.NASL
    descriptionRecently, Trustix Secure Linux discovered a vulnerability in the openssl package. The auxiliary script
    last seen2020-06-01
    modified2020-06-02
    plugin id20639
    published2006-01-15
    reporterUbuntu Security Notice (C) 2004-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20639
    titleUbuntu 4.10 : openssl script vulnerability (USN-24-1)

Oval

  • accepted2013-04-29T04:07:10.127-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
      ovaloval:org.mitre.oval:def:11831
    • commentCentOS Linux 4.x
      ovaloval:org.mitre.oval:def:16636
    • commentOracle Linux 4.x
      ovaloval:org.mitre.oval:def:15990
    descriptionThe der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.
    familyunix
    idoval:org.mitre.oval:def:10621
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleThe der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.
    version26
  • accepted2005-08-18T07:37:00.000-04:00
    classvulnerability
    contributors
    nameJay Beale
    organizationBastille Linux
    descriptionThe der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.
    familyunix
    idoval:org.mitre.oval:def:164
    statusaccepted
    submitted2005-06-14T12:00:00.000-04:00
    titleTrustix Secure Linux der_chop Script Symlink Attack Vulnerability
    version5

Redhat

advisories
rhsa
idRHSA-2005:476
rpms
  • openssl-0:0.9.7a-33.15
  • openssl-0:0.9.7a-43.2
  • openssl-debuginfo-0:0.9.7a-33.15
  • openssl-debuginfo-0:0.9.7a-43.2
  • openssl-devel-0:0.9.7a-33.15
  • openssl-devel-0:0.9.7a-43.2
  • openssl-perl-0:0.9.7a-33.15
  • openssl-perl-0:0.9.7a-43.2
  • openssl096b-0:0.9.6b-16.22.3
  • openssl096b-0:0.9.6b-22.3
  • openssl096b-debuginfo-0:0.9.6b-16.22.3
  • openssl096b-debuginfo-0:0.9.6b-22.3

Statements

contributorMark J Cox
lastmodified2007-03-14
organizationRed Hat
statementRed Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.