Vulnerabilities > CVE-2004-1452 - Unspecified vulnerability in Gentoo Linux

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
gentoo
nessus

Summary

Tomcat before 5.0.27-r3 in Gentoo Linux sets the default permissions on the init scripts as tomcat:tomcat, but executes the scripts with root privileges, which could allow local users in the tomcat group to execute arbitrary commands as root by modifying the scripts.

Vulnerable Configurations

Part Description Count
OS
Gentoo
8

Nessus

NASL familyGentoo Local Security Checks
NASL idGENTOO_GLSA-200408-15.NASL
descriptionThe remote host is affected by the vulnerability described in GLSA-200408-15 (Tomcat: Insecure installation) The Gentoo ebuild for Tomcat sets the ownership of the Tomcat init scripts as tomcat:tomcat, but those scripts are executed with root privileges when the system is started. This may allow a member of the tomcat group to run arbitrary code with root privileges when the Tomcat init scripts are run. Impact : This could lead to a local privilege escalation or root compromise by authenticated users. Workaround : Users may change the ownership of /etc/init.d/tomcat* and /etc/conf.d/tomcat* to be root:root: # chown -R root:root /etc/init.d/tomcat* # chown -R root:root /etc/conf.d/tomcat*
last seen2020-06-01
modified2020-06-02
plugin id14571
published2004-08-30
reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/14571
titleGLSA-200408-15 : Tomcat: Insecure installation
code
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 200408-15.
#
# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(14571);
  script_version("1.15");
  script_cvs_date("Date: 2019/08/02 13:32:41");

  script_cve_id("CVE-2004-1452");
  script_xref(name:"GLSA", value:"200408-15");

  script_name(english:"GLSA-200408-15 : Tomcat: Insecure installation");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-200408-15
(Tomcat: Insecure installation)

    The Gentoo ebuild for Tomcat sets the ownership of the Tomcat init
    scripts as tomcat:tomcat, but those scripts are executed with root
    privileges when the system is started. This may allow a member of the
    tomcat group to run arbitrary code with root privileges when the Tomcat
    init scripts are run.
  
Impact :

    This could lead to a local privilege escalation or root compromise by
    authenticated users.
  
Workaround :

    Users may change the ownership of /etc/init.d/tomcat* and
    /etc/conf.d/tomcat* to be root:root:
    # chown -R root:root /etc/init.d/tomcat*
    # chown -R root:root /etc/conf.d/tomcat*"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/200408-15"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All Tomcat users can upgrade to the latest stable version, or simply
    apply the workaround:
    # emerge sync
    # emerge -pv '>=www-servers/tomcat-5.0.27-r3'
    # emerge '>=www-servers/tomcat-5.0.27-r3'"
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:tomcat");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2004/08/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/30");
  script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/02");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"www-servers/tomcat", unaffected:make_list("ge 5.0.27-r3", "rge 4.1.30-r4", "rge 3.3.2-r2"), vulnerable:make_list("lt 5.0.27-r3"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Tomcat");
}