Vulnerabilities > CVE-2005-4595 - Unspecified vulnerability in Gentoo Nview and Xnview

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
gentoo
nessus

Summary

Untrusted search path vulnerability (RPATH) in XnView 1.70 and NView 4.51 on Gentoo Linux allows local users to execute arbitrary code via a malicious library in the current working directory.

Vulnerable Configurations

Part Description Count
Application
Gentoo
2

Nessus

NASL familyGentoo Local Security Checks
NASL idGENTOO_GLSA-200512-18.NASL
descriptionThe remote host is affected by the vulnerability described in GLSA-200512-18 (XnView: Privilege escalation) Krzysiek Pawlik of Gentoo Linux discovered that the XnView package for IA32 used the DT_RPATH field insecurely, causing the dynamic loader to search for shared libraries in potentially untrusted directories. Impact : A local attacker could create a malicious shared object that would be loaded and executed when a user attempted to use an XnView utility. This would allow a malicious user to effectively hijack XnView and execute arbitrary code with the privileges of the user running the program. Workaround : The system administrator may use the chrpath utility to remove the DT_RPATH field from the XnView utilities: # emerge app-admin/chrpath # chrpath --delete /opt/bin/nconvert /opt/bin/nview /opt/bin/xnview
last seen2020-06-01
modified2020-06-02
plugin id20371
published2005-12-31
reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20371
titleGLSA-200512-18 : XnView: Privilege escalation
code
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 200512-18.
#
# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(20371);
  script_version("1.14");
  script_cvs_date("Date: 2019/08/02 13:32:43");

  script_cve_id("CVE-2005-4595");
  script_xref(name:"GLSA", value:"200512-18");

  script_name(english:"GLSA-200512-18 : XnView: Privilege escalation");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-200512-18
(XnView: Privilege escalation)

    Krzysiek Pawlik of Gentoo Linux discovered that the XnView package for
    IA32 used the DT_RPATH field insecurely, causing the dynamic loader to
    search for shared libraries in potentially untrusted directories.
  
Impact :

    A local attacker could create a malicious shared object that would be
    loaded and executed when a user attempted to use an XnView utility.
    This would allow a malicious user to effectively hijack XnView and
    execute arbitrary code with the privileges of the user running the
    program.
  
Workaround :

    The system administrator may use the chrpath utility to remove the
    DT_RPATH field from the XnView utilities:
    # emerge app-admin/chrpath
    # chrpath --delete /opt/bin/nconvert /opt/bin/nview /opt/bin/xnview"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/200512-18"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All XnView users on the x86 platform should upgrade to the latest
    version:
    # emerge --sync
    # emerge --ask --oneshot --verbose '>=x11-misc/xnview-1.70-r1'"
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xnview");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2005/12/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/12/31");
  script_set_attribute(attribute:"vuln_publication_date", value:"2005/12/29");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list", "Host/Gentoo/arch");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
ourarch = get_kb_item("Host/Gentoo/arch");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(x86)$") audit(AUDIT_ARCH_NOT, "x86", ourarch);

flag = 0;

if (qpkg_check(package:"x11-misc/xnview", arch:"x86", unaffected:make_list("ge 1.70-r1"), vulnerable:make_list("lt 1.70-r1"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "XnView");
}