Vulnerabilities > CVE-2004-1772 - Buffer Overflow vulnerability in GNU Sharutils 4.2/4.2.1
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in shar in GNU sharutils 4.2.1 allows local users to execute arbitrary code via a long -o command line argument.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2005-280.NASL description - Thu Mar 31 2005 Than Ngo <than at redhat.com> 4.2.1-18.1.FC2 - apply patch to fix multiple buffer overflows #152571 - apply patch to fix buffer overflow in handling of -o option, CVE-2004-1772, #123230 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 18331 published 2005-05-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18331 title Fedora Core 2 : sharutils-4.2.1-18.1.FC2 (2005-280) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2005-280. # include("compat.inc"); if (description) { script_id(18331); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_xref(name:"FEDORA", value:"2005-280"); script_name(english:"Fedora Core 2 : sharutils-4.2.1-18.1.FC2 (2005-280)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Thu Mar 31 2005 Than Ngo <than at redhat.com> 4.2.1-18.1.FC2 - apply patch to fix multiple buffer overflows #152571 - apply patch to fix buffer overflow in handling of -o option, CVE-2004-1772, #123230 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2005-April/000832.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cbda1cff" ); script_set_attribute( attribute:"solution", value:"Update the affected sharutils and / or sharutils-debuginfo packages." ); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:sharutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:sharutils-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:2"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/05/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 2.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC2", reference:"sharutils-4.2.1-18.1.FC2")) flag++; if (rpm_check(release:"FC2", reference:"sharutils-debuginfo-4.2.1-18.1.FC2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "sharutils / sharutils-debuginfo"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-067.NASL description Shaun Colley discovered a buffer overflow in shar that was triggered by output files (using -o) with names longer than 49 characters which could be exploited to run arbitrary attacker-specified code. Ulf Harnhammar discovered that shar does not check the data length returned by the wc command. Joey Hess discovered that unshar would create temporary files in an insecure manner which could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user using unshar. The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 18002 published 2005-04-08 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18002 title Mandrake Linux Security Advisory : sharutils (MDKSA-2005:067) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:067. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(18002); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-1772", "CVE-2004-1773", "CVE-2005-0990"); script_xref(name:"MDKSA", value:"2005:067"); script_name(english:"Mandrake Linux Security Advisory : sharutils (MDKSA-2005:067)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "Shaun Colley discovered a buffer overflow in shar that was triggered by output files (using -o) with names longer than 49 characters which could be exploited to run arbitrary attacker-specified code. Ulf Harnhammar discovered that shar does not check the data length returned by the wc command. Joey Hess discovered that unshar would create temporary files in an insecure manner which could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user using unshar. The updated packages have been patched to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=302412" ); script_set_attribute( attribute:"solution", value:"Update the affected sharutils package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sharutils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", reference:"sharutils-4.2.1-14.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"sharutils-4.2.1-17.1.101mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-377.NASL description An updated sharutils package is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The sharutils package contains a set of tools for encoding and decoding packages of files in binary or text format. A stack based overflow bug was found in the way shar handles the -o option. If a user can be tricked into running a specially crafted command, it could lead to arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1772 to this issue. Please note that this issue does not affect Red Hat Enterprise Linux 4. Two buffer overflow bugs were found in sharutils. If an attacker can place a malicious last seen 2020-06-01 modified 2020-06-02 plugin id 18147 published 2005-04-27 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18147 title RHEL 2.1 / 3 / 4 : sharutils (RHSA-2005:377) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-377.NASL description An updated sharutils package is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The sharutils package contains a set of tools for encoding and decoding packages of files in binary or text format. A stack based overflow bug was found in the way shar handles the -o option. If a user can be tricked into running a specially crafted command, it could lead to arbitrary code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1772 to this issue. Please note that this issue does not affect Red Hat Enterprise Linux 4. Two buffer overflow bugs were found in sharutils. If an attacker can place a malicious last seen 2020-06-01 modified 2020-06-02 plugin id 21814 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21814 title CentOS 3 / 4 : sharutils (CESA-2005:377)
Oval
| accepted | 2013-04-29T04:15:31.675-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Stack-based buffer overflow in shar in GNU sharutils 4.2.1 allows local users to execute arbitrary code via a long -o command line argument. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:11722 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Stack-based buffer overflow in shar in GNU sharutils 4.2.1 allows local users to execute arbitrary code via a long -o command line argument. | ||||||||||||||||||||
| version | 25 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://marc.info/?l=bugtraq&m=108137386310299&w=2
- http://www.redhat.com/support/errata/RHSA-2005-377.html
- http://www.securityfocus.com/archive/1/359639
- http://www.securityfocus.com/bid/10066
- https://bugzilla.fedora.us/show_bug.cgi?id=2155
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15759
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11722