Vulnerabilities > CVE-2006-5215 - Local Security vulnerability in NetBSD
Attack vector
LOCAL Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file. This vulnerability is addressed in the following product updates: X.org, xdm, 2006-03-17 NetBSD, NetBSD, Current 2006-02-12 Sun, Solaris, 10 2006-10-06
Vulnerable Configurations
Nessus
NASL family Solaris Local Security Checks NASL id SOLARIS8_X86_111845.NASL description X11 6.4.1_x86: xdm patch. Date this patch was last updated by Sun : Jan/26/07 last seen 2020-06-01 modified 2020-06-02 plugin id 23447 published 2006-11-06 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23447 title Solaris 8 (x86) : 111845-04 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text in this plugin was # extracted from the Oracle SunOS Patch Updates. # include("compat.inc"); if (description) { script_id(23447); script_version("1.19"); script_cvs_date("Date: 2019/10/25 13:36:24"); script_cve_id("CVE-2006-5214", "CVE-2006-5215"); script_name(english:"Solaris 8 (x86) : 111845-04"); script_summary(english:"Check for patch 111845-04"); script_set_attribute( attribute:"synopsis", value:"The remote host is missing Sun Security Patch number 111845-04" ); script_set_attribute( attribute:"description", value: "X11 6.4.1_x86: xdm patch. Date this patch was last updated by Sun : Jan/26/07" ); script_set_attribute( attribute:"see_also", value:"http://download.oracle.com/sunalerts/1000298.1.html" ); script_set_attribute( attribute:"solution", value:"You should install this patch for your system to be up-to-date." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:sun:solaris"); script_set_attribute(attribute:"patch_publication_date", value:"2007/01/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Solaris Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Solaris/showrev"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("solaris.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (solaris_check_patch(release:"5.8_x86", arch:"i386", patch:"111845-04", obsoleted_by:"", package:"SUNWxwopt", version:"6.4.1.3800,REV=0.1999.12.15") < 0) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:solaris_get_report()); else security_note(0); exit(0); } audit(AUDIT_HOST_NOT, "affected");NASL family Solaris Local Security Checks NASL id SOLARIS9_124830.NASL description X11 6.6.1: xdm patch. Date this patch was last updated by Sun : Jan/18/07 last seen 2020-06-01 modified 2020-06-02 plugin id 24407 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24407 title Solaris 9 (sparc) : 124830-01 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text in this plugin was # extracted from the Oracle SunOS Patch Updates. # include("compat.inc"); if (description) { script_id(24407); script_version("1.17"); script_cvs_date("Date: 2019/10/25 13:36:24"); script_cve_id("CVE-2006-5214", "CVE-2006-5215"); script_name(english:"Solaris 9 (sparc) : 124830-01"); script_summary(english:"Check for patch 124830-01"); script_set_attribute( attribute:"synopsis", value:"The remote host is missing Sun Security Patch number 124830-01" ); script_set_attribute( attribute:"description", value: "X11 6.6.1: xdm patch. Date this patch was last updated by Sun : Jan/18/07" ); script_set_attribute( attribute:"see_also", value:"http://download.oracle.com/sunalerts/1000298.1.html" ); script_set_attribute( attribute:"solution", value:"You should install this patch for your system to be up-to-date." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:sun:solaris"); script_set_attribute(attribute:"patch_publication_date", value:"2007/01/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Solaris Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Solaris/showrev"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("solaris.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"124830-01", obsoleted_by:"", package:"SUNWxwopt", version:"6.6.1.5800,REV=0.2002.04.05") < 0) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:solaris_get_report()); else security_note(0); exit(0); } audit(AUDIT_HOST_NOT, "affected");NASL family Solaris Local Security Checks NASL id SOLARIS8_111844.NASL description X11 6.4.1 xdm patch. Date this patch was last updated by Sun : Jan/26/07 last seen 2020-06-01 modified 2020-06-02 plugin id 23335 published 2006-11-06 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23335 title Solaris 8 (sparc) : 111844-04 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text in this plugin was # extracted from the Oracle SunOS Patch Updates. # include("compat.inc"); if (description) { script_id(23335); script_version("1.21"); script_cvs_date("Date: 2019/10/25 13:36:24"); script_cve_id("CVE-2006-5214", "CVE-2006-5215"); script_name(english:"Solaris 8 (sparc) : 111844-04"); script_summary(english:"Check for patch 111844-04"); script_set_attribute( attribute:"synopsis", value:"The remote host is missing Sun Security Patch number 111844-04" ); script_set_attribute( attribute:"description", value: "X11 6.4.1 xdm patch. Date this patch was last updated by Sun : Jan/26/07" ); script_set_attribute( attribute:"see_also", value:"http://download.oracle.com/sunalerts/1000298.1.html" ); script_set_attribute( attribute:"solution", value:"You should install this patch for your system to be up-to-date." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:sun:solaris"); script_set_attribute(attribute:"patch_publication_date", value:"2007/01/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Solaris Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Solaris/showrev"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("solaris.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (solaris_check_patch(release:"5.8", arch:"sparc", patch:"111844-04", obsoleted_by:"", package:"SUNWxwopt", version:"6.4.1.3800,REV=0.1999.12.15") < 0) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:solaris_get_report()); else security_note(0); exit(0); } audit(AUDIT_HOST_NOT, "affected");NASL family Solaris Local Security Checks NASL id SOLARIS10_124457.NASL description X11 6.6.2: xdm patch. Date this patch was last updated by Sun : Jul/16/10 This plugin has been deprecated and either replaced with individual 124457 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 23994 published 2007-01-08 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=23994 title Solaris 10 (sparc) : 124457-03 (deprecated) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_124458.NASL description X11 6.6.2_x86: xdm patch. Date this patch was last updated by Sun : Jul/16/10 This plugin has been deprecated and either replaced with individual 124458 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 23918 published 2006-12-18 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=23918 title Solaris 10 (x86) : 124458-03 (deprecated) NASL family Solaris Local Security Checks NASL id SOLARIS9_X86_124831.NASL description X11 6.6.1_x86: xdm patch. Date this patch was last updated by Sun : Jan/18/07 last seen 2020-06-01 modified 2020-06-02 plugin id 24410 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24410 title Solaris 9 (x86) : 124831-01
Oval
| accepted | 2007-09-27T08:57:46.256-04:00 | ||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||
| description | The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file. | ||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:2205 | ||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||
| submitted | 2007-08-10T12:25:23.000-04:00 | ||||||||||||||||||||||||
| title | Security Vulnerability in X Display Manager (xdm(1)) Xsession Script | ||||||||||||||||||||||||
| version | 35 |
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-03-14 |
| organization | Red Hat |
| statement | Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. |
References
- http://secunia.com/advisories/22992
- http://securitytracker.com/id?1017015
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102652-1
- http://support.avaya.com/elmodocs2/security/ASA-2006-250.htm
- http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=32805
- https://bugs.freedesktop.org/show_bug.cgi?id=5898
- https://exchange.xforce.ibmcloud.com/vulnerabilities/29427
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2205