Vulnerabilities > CVE-2004-1170
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
a2ps 4.13 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 | |
| Application | 2 | |
| OS | 7 |
Exploit-Db
| description | GNU a2ps 4.13 File Name Command Execution Vulnerability. CVE-2004-1170. Local exploit for linux platform |
| id | EDB-ID:24406 |
| last seen | 2016-02-02 |
| modified | 2004-08-24 |
| published | 2004-08-24 |
| reporter | Rudolf Polzer |
| source | https://www.exploit-db.com/download/24406/ |
| title | GNU a2ps 4.13 File Name Command Execution Vulnerability |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-612.NASL description Rudolf Polzer discovered a vulnerability in a2ps, a converter and pretty-printer for many formats to PostScript. The program did not escape shell meta characters properly which could lead to the execution of arbitrary commands as a privileged user if a2ps is installed as a printer filter. last seen 2020-06-01 modified 2020-06-02 plugin id 16008 published 2004-12-20 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16008 title Debian DSA-612-1 : a2ps - unsanitised input NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200501-02.NASL description The remote host is affected by the vulnerability described in GLSA-200501-02 (a2ps: Multiple vulnerabilities) Javier Fernandez-Sanguino Pena discovered that the a2ps package contains two scripts that create insecure temporary files (fixps and psmandup). Furthermore, we fixed in a previous revision a vulnerability in a2ps filename handling (CAN-2004-1170). Impact : A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When fixps or psmandup is executed, this would result in the file being overwritten with the rights of the user running the utility. By enticing a user or script to run a2ps on a malicious filename, an attacker could execute arbitrary commands on the system with the rights of that user or script. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 16393 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/16393 title GLSA-200501-02 : a2ps: Multiple vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_8091FCEAF35E11D881B0000347A4FA7D.NASL description Rudolf Polzer reports : a2ps builds a command line for file() containing an unescaped version of the file name, thus might call external programs described by the file name. Running a cronjob over a public writable directory a2ps-ing all files in it - or simply typing last seen 2020-06-01 modified 2020-06-02 plugin id 37951 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37951 title FreeBSD : a2ps -- insecure command line argument handling (8091fcea-f35e-11d8-81b0-000347a4fa7d) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-140.NASL description The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. The updated packages have been patched to prevent this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 15838 published 2004-11-27 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15838 title Mandrake Linux Security Advisory : a2ps (MDKSA-2004:140) NASL family FreeBSD Local Security Checks NASL id FREEBSD_A2PS_413B2.NASL description The following package needs to be updated: a2ps-a4 last seen 2016-09-26 modified 2011-10-03 plugin id 15524 published 2004-10-20 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=15524 title FreeBSD : a2ps -- insecure command line argument handling (4)
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-03-14 |
| organization | Red Hat |
| statement | Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. |
References
- http://archives.neohapsis.com/archives/fulldisclosure/2004-08/1026.html
- http://bugs.debian.org/283134
- http://marc.info/?l=bugtraq&m=110598355226660&w=2
- http://secunia.com/advisories/12375
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-57649-1&searchclause=
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:140
- http://www.novell.com/linux/security/advisories/2004_34_xfree86_libs_xshared.html
- http://www.securiteam.com/unixfocus/5MP0N2KDPA.html
- http://www.securityfocus.com/archive/1/419765/100/0/threaded
- http://www.securityfocus.com/bid/11025
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17127