Vulnerabilities > CVE-2007-2027 - USE of Externally-Controlled Format String vulnerability in Elinks 0.11.1

047910
CVSS 4.4 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
elinks
CWE-134
nessus
exploit available

Summary

Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks. An untrusted message catalog might lead to a format-string attack when an attacker tricks user into launching links from a particular directory.

Vulnerable Configurations

Part Description Count
Application
Elinks
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.

Exploit-Db

descriptionELinks Relative 0.10.6 /011.1 Path Arbitrary Code Execution Vulnerability. CVE-2007-2027 . Local exploit for linux platform
idEDB-ID:29954
last seen2016-02-03
modified2007-05-07
published2007-05-07
reporterArnaud Giersch
sourcehttps://www.exploit-db.com/download/29954/
titleELinks Relative 0.10.6 /011.1 Path Arbitrary Code Execution Vulnerability

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2009-1471.NASL
    descriptionFrom Red Hat Security Advisory 2009:1471 : An updated elinks package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. ELinks is a text-based Web browser. ELinks does not display any images, but it does support frames, tables, and most other HTML tags. An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224) It was discovered that ELinks tried to load translation files using relative paths. A local attacker able to trick a victim into running ELinks in a folder containing specially crafted translation files could use this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027) All ELinks users are advised to upgrade to this updated package, which contains backported patches to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id67934
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67934
    titleOracle Linux 4 / 5 : elinks (ELSA-2009-1471)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2009:1471 and 
    # Oracle Linux Security Advisory ELSA-2009-1471 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(67934);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/25 13:36:08");
    
      script_cve_id("CVE-2007-2027", "CVE-2008-7224");
      script_xref(name:"RHSA", value:"2009:1471");
    
      script_name(english:"Oracle Linux 4 / 5 : elinks (ELSA-2009-1471)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2009:1471 :
    
    An updated elinks package that fixes two security issues is now
    available for Red Hat Enterprise Linux 4 and 5.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    ELinks is a text-based Web browser. ELinks does not display any
    images, but it does support frames, tables, and most other HTML tags.
    
    An off-by-one buffer overflow flaw was discovered in the way ELinks
    handled its internal cache of string representations for HTML special
    entities. A remote attacker could use this flaw to create a specially
    crafted HTML file that would cause ELinks to crash or, possibly,
    execute arbitrary code when rendered. (CVE-2008-7224)
    
    It was discovered that ELinks tried to load translation files using
    relative paths. A local attacker able to trick a victim into running
    ELinks in a folder containing specially crafted translation files
    could use this flaw to confuse the victim via incorrect translations,
    or cause ELinks to crash and possibly execute arbitrary code via
    embedded formatting sequences in translated messages. (CVE-2007-2027)
    
    All ELinks users are advised to upgrade to this updated package, which
    contains backported patches to resolve these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2009-October/001179.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2009-October/001181.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected elinks package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_cwe_id(119, 134);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:elinks");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/04/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/10/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 4 / 5", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL4", reference:"elinks-0.9.2-4.el4_8.1")) flag++;
    
    if (rpm_check(release:"EL5", reference:"elinks-0.11.1-6.el5_4.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "elinks");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-457-1.NASL
    descriptionArnaud Giersch discovered that elinks incorrectly attempted to load gettext catalogs from a relative path. If a user were tricked into running elinks from a specific directory, a local attacker could execute code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id28055
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28055
    titleUbuntu 6.06 LTS / 6.10 / 7.04 : elinks vulnerability (USN-457-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200706-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200706-03 (ELinks: User-assisted execution of arbitrary code) Arnaud Giersch discovered that the
    last seen2020-06-01
    modified2020-06-02
    plugin id25453
    published2007-06-07
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/25453
    titleGLSA-200706-03 : ELinks: User-assisted execution of arbitrary code
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2009-1471.NASL
    descriptionAn updated elinks package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. ELinks is a text-based Web browser. ELinks does not display any images, but it does support frames, tables, and most other HTML tags. An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224) It was discovered that ELinks tried to load translation files using relative paths. A local attacker able to trick a victim into running ELinks in a folder containing specially crafted translation files could use this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027) All ELinks users are advised to upgrade to this updated package, which contains backported patches to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id41962
    published2009-10-02
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/41962
    titleRHEL 4 / 5 : elinks (RHSA-2009:1471)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20091001_ELINKS_ON_SL4_X.NASL
    descriptionCVE-2007-2027 elinks tries to load .po files from a non-absolute path CVE-2008-7224 elinks: entity_cache static array buffer overflow (off-by-one) An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224) It was discovered that ELinks tried to load translation files using relative paths. A local attacker able to trick a victim into running ELinks in a folder containing specially crafted translation files could use this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027)
    last seen2020-06-01
    modified2020-06-02
    plugin id60673
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60673
    titleScientific Linux Security Update : elinks on SL4.x, SL5.x i386/x86_64
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2009-0030.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - fix #235411 - CVE-2007-2027 - elinks tries to load .po files from non-absolute path - fix #523258 - CVE-2008-7224 - entity_cache static array buffer overflow
    last seen2020-06-01
    modified2020-06-02
    plugin id79468
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79468
    titleOracleVM 2.1 : elinks (OVMSA-2009-0030)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2009-1471.NASL
    descriptionAn updated elinks package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. ELinks is a text-based Web browser. ELinks does not display any images, but it does support frames, tables, and most other HTML tags. An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224) It was discovered that ELinks tried to load translation files using relative paths. A local attacker able to trick a victim into running ELinks in a folder containing specially crafted translation files could use this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027) All ELinks users are advised to upgrade to this updated package, which contains backported patches to resolve these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id43798
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43798
    titleCentOS 4 / 5 : elinks (CESA-2009:1471)

Oval

accepted2013-04-29T04:21:46.799-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionUntrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.
familyunix
idoval:org.mitre.oval:def:9741
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleUntrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.
version27

Redhat

rpms
  • elinks-0:0.11.1-6.el5_4.1
  • elinks-0:0.9.2-4.el4_8.1
  • elinks-debuginfo-0:0.11.1-6.el5_4.1
  • elinks-debuginfo-0:0.9.2-4.el4_8.1

Statements

contributorMark J Cox
lastmodified2009-10-02
organizationRed Hat
statementThis issue affected Red Hat Enterprise Linux 4 and 5. Update packages were released to correct it via: http://rhn.redhat.com/errata/RHSA-2009-1471.html