Vulnerabilities > CVE-2004-1185 - Multiple vulnerability in GNU Enscript

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
gnu
nessus

Summary

Enscript 1.6.3 does not sanitize filenames, which allows remote attackers or local users to execute arbitrary commands via crafted filenames.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-68-1.NASL
    descriptionErik Sjolund discovered several vulnerabilities in enscript which could cause arbitrary code execution with the privileges of the user calling enscript. Quotes and other shell escape characters in titles and file names were not handled in previous versions. (CAN-2004-1184) Previous versions supported reading EPS data not only from a file, but also from an arbitrary command pipe. Since checking for unwanted side effects is infeasible, this feature has been disabled after consultation with the authors of enscript. (CAN-2004-1185) Finally, this update fixes two buffer overflows which were triggered by certain input files. (CAN-2004-1186) These issues can lead to privilege escalation if enscript is called automatically from web server applications like viewcvs. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id20688
    published2006-01-15
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20688
    titleUbuntu 4.10 : enscript vulnerabilities (USN-68-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-040.NASL
    descriptionAn updated enscript package that fixes several security issues is now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. GNU enscript converts ASCII files to PostScript. Enscript has the ability to interpret special escape sequences. A flaw was found in the handling of the epsf command used to insert inline EPS files into a document. An attacker could create a carefully crafted ASCII file which made use of the epsf pipe command in such a way that it could execute arbitrary commands if the file was opened with enscript by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1184 to this issue. Additional flaws in Enscript were also discovered which can only be triggered by executing enscript with carefully crafted command line arguments. These flaws therefore only have a security impact if enscript is executed by other programs and passed untrusted data from remote users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-1185 and CVE-2004-1186 to these issues. All users of enscript should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id17172
    published2005-02-22
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/17172
    titleRHEL 4 : enscript (RHSA-2005:040)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200502-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200502-03 (enscript: Multiple vulnerabilities) Erik Sjolund discovered several issues in enscript: it suffers from several buffer overflows (CAN-2004-1186), quotes and shell escape characters are insufficiently sanitized in filenames (CAN-2004-1185), and it supported taking input from an arbitrary command pipe, with unwanted side effects (CAN-2004-1184). Impact : An attacker could design malicious files or input data which, once feeded into enscript, would trigger the execution of arbitrary code with the rights of the user running enscript. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id16440
    published2005-02-14
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16440
    titleGLSA-200502-03 : enscript: Multiple vulnerabilities
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_72DA8AF67C7511D98CC5000854D03344.NASL
    descriptionErik Sjolund discovered several issues in enscript : it suffers from several buffer overflows, quotes and shell escape characters are insufficiently sanitized in filenames, and it supported taking input from an arbitrary command pipe, with unwanted side effects.
    last seen2020-06-01
    modified2020-06-02
    plugin id18981
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18981
    titleFreeBSD : enscript -- multiple vulnerabilities (72da8af6-7c75-11d9-8cc5-000854d03344)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-033.NASL
    descriptionA vulnerability in the enscript program
    last seen2020-06-01
    modified2020-06-02
    plugin id16376
    published2005-02-11
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16376
    titleMandrake Linux Security Advisory : enscript (MDKSA-2005:033)
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_9867.NASL
    description - Unsanitised input can caues the execution of arbitrary commands via EPSF pipe support. This has been disabled, also upstream. (CVE-2004-1184) - Due to missing sanitising of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. (CVE-2004-1185) - Multiple buffer overflows can cause the program to crash. (CVE-2004-1186)
    last seen2020-06-01
    modified2020-06-02
    plugin id41347
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41347
    titleSuSE9 Security Update : enscript (YOU Patch Number 9867)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-654.NASL
    descriptionErik Sjolund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CAN-2004-1184 Unsanitised input can cause the execution of arbitrary commands via EPSF pipe support. This has been disabled, also upstream. - CAN-2004-1185 Due to missing sanitising of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. - CAN-2004-1186 Multiple buffer overflows can cause the program to crash. Usually, enscript is only run locally, but since it is executed inside of viewcvs some of the problems mentioned above can easily be turned into a remote vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id16238
    published2005-01-25
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16238
    titleDebian DSA-654-1 : enscript - several vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-015.NASL
    descriptionErik Sjolund has discovered several security relevant problems in enscript, a program to converts ASCII text to Postscript and other formats. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2004-1184 Unsanitised input can causes the execution of arbitrary commands via EPSF pipe support. This has been disabled, also upstream. - CVE-2004-1185 Due to missing sanitising of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. - CVE-2004-1186 Multiple buffer overflows can cause the program to crash. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id16267
    published2005-01-27
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16267
    titleFedora Core 2 : enscript-1.6.1-25.2 (2005-015)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-016.NASL
    descriptionErik Sjolund has discovered several security relevant problems in enscript, a program to converts ASCII text to Postscript and other formats. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2004-1184 Unsanitised input can causes the execution of arbitrary commands via EPSF pipe support. This has been disabled, also upstream. - CVE-2004-1185 Due to missing sanitising of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. - CVE-2004-1186 Multiple buffer overflows can cause the program to crash. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id16268
    published2005-01-27
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16268
    titleFedora Core 3 : enscript-1.6.1-28.0.2 (2005-016)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_5_7.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11
    last seen2020-06-01
    modified2020-06-02
    plugin id38744
    published2009-05-13
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38744
    titleMac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-039.NASL
    descriptionAn updated enscript package that fixes several security issues is now available. GNU enscript converts ASCII files to PostScript. Enscript has the ability to interpret special escape sequences. A flaw was found in the handling of the epsf command used to insert inline EPS files into a document. An attacker could create a carefully crafted ASCII file which made use of the epsf pipe command in such a way that it could execute arbitrary commands if the file was opened with enscript by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1184 to this issue. Additional flaws in Enscript were also discovered which can only be triggered by executing enscript with carefully crafted command line arguments. These flaws therefore only have a security impact if enscript is executed by other programs and passed untrusted data from remote users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-1185 and CVE-2004-1186 to these issues. All users of enscript should upgrade to these updated packages, which resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id16296
    published2005-02-02
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/16296
    titleRHEL 2.1 / 3 : enscript (RHSA-2005:039)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2009-002.NASL
    descriptionThe remote host is running a version of Mac OS X 10.4 that does not have Security Update 2009-002 applied. This security update contains fixes for the following products : - Apache - ATS - BIND - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - IPSec - Kerberos - Launch Services - libxml - Net-SNMP - Network Time - OpenSSL - QuickDraw Manager - Spotlight - system_cmds - telnet - Terminal - X11
    last seen2020-06-01
    modified2020-06-02
    plugin id38743
    published2009-05-13
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38743
    titleMac OS X Multiple Vulnerabilities (Security Update 2009-002)

Oval

accepted2013-04-29T04:08:58.007-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionEnscript 1.6.3 does not sanitize filenames, which allows remote attackers or local users to execute arbitrary commands via crafted filenames.
familyunix
idoval:org.mitre.oval:def:10808
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleEnscript 1.6.3 does not sanitize filenames, which allows remote attackers or local users to execute arbitrary commands via crafted filenames.
version26

Redhat

advisories
rhsa
idRHSA-2005:040
rpms
  • enscript-0:1.6.1-24.4
  • enscript-debuginfo-0:1.6.1-24.4
  • enscript-0:1.6.1-28.3
  • enscript-debuginfo-0:1.6.1-28.3

Statements

contributorMark J Cox
lastmodified2007-03-14
organizationRed Hat
statementRed Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.