Vulnerabilities > CVE-2006-0071 - Local Privilege Escalation vulnerability in Gentoo Pinentry

047910
CVSS 6.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
NONE
local
low complexity
gentoo
nessus

Summary

The ebuild for pinentry before 0.7.2-r2 on Gentoo Linux sets setgid bits for pinentry programs, which allows local users to read or overwrite arbitrary files as gid 0.

Vulnerable Configurations

Part Description Count
Application
Gentoo
2
OS
Gentoo
1

Nessus

NASL familyGentoo Local Security Checks
NASL idGENTOO_GLSA-200601-01.NASL
descriptionThe remote host is affected by the vulnerability described in GLSA-200601-01 (pinentry: Local privilege escalation) Tavis Ormandy of the Gentoo Linux Security Audit Team has discovered that the pinentry ebuild incorrectly sets the permissions of the pinentry binaries upon installation, so that the sgid bit is set making them execute with the privileges of group ID 0. Impact : A user of pinentry could potentially read and overwrite files with a group ID of 0. Workaround : There is no known workaround at this time.
last seen2020-06-01
modified2020-06-02
plugin id20411
published2006-01-15
reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20411
titleGLSA-200601-01 : pinentry: Local privilege escalation
code
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 200601-01.
#
# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(20411);
  script_version("1.13");
  script_cvs_date("Date: 2019/08/02 13:32:43");

  script_cve_id("CVE-2006-0071");
  script_xref(name:"GLSA", value:"200601-01");

  script_name(english:"GLSA-200601-01 : pinentry: Local privilege escalation");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-200601-01
(pinentry: Local privilege escalation)

    Tavis Ormandy of the Gentoo Linux Security Audit Team has
    discovered that the pinentry ebuild incorrectly sets the permissions of
    the pinentry binaries upon installation, so that the sgid bit is set
    making them execute with the privileges of group ID 0.
  
Impact :

    A user of pinentry could potentially read and overwrite files with
    a group ID of 0.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/200601-01"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All pinentry users should upgrade to the latest version:
    # emerge --sync
    # emerge --ask --oneshot --verbose '>=app-crypt/pinentry-0.7.2-r2'"
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:pinentry");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/01/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
  script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/03");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"app-crypt/pinentry", unaffected:make_list("ge 0.7.2-r2"), vulnerable:make_list("lt 0.7.2-r2"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pinentry");
}