Vulnerabilities > CVE-2008-1391 - Numeric Errors vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
freebsd
netbsd
CWE-189
nessus
exploit available

Summary

Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, and probably other BSD and Apple Mac OS platforms allow context-dependent attackers to execute arbitrary code via large values of certain integer fields in the format argument to (1) the strfmon function in lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro; and (2) the printf function, related to left_prec and right_prec.

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionMultiple BSD Platforms 'strfmon()' Function Integer Overflow Weakness. CVE-2008-1391. Dos exploit for bsd platform
idEDB-ID:31550
last seen2016-02-03
modified2008-03-27
published2008-03-27
reporterMaksymilian Arciemowicz
sourcehttps://www.exploit-db.com/download/31550/
titleMultiple BSD Platforms - 'strfmon' Function Integer Overflow Weakness

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2010-112.NASL
    descriptionMultiple vulnerabilities was discovered and fixed in glibc : Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880). nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function (CVE-2010-0015). The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request (CVE-2010-0296). Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header (CVE-2010-0830). The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id48185
    published2010-07-30
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/48185
    titleMandriva Linux Security Advisory : glibc (MDVSA-2010:112)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2010:112. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(48185);
      script_version("1.11");
      script_cvs_date("Date: 2019/08/02 13:32:53");
    
      script_cve_id("CVE-2009-4880", "CVE-2010-0015", "CVE-2010-0296", "CVE-2010-0830");
      script_bugtraq_id(36443, 37885, 40063);
      script_xref(name:"MDVSA", value:"2010:112");
    
      script_name(english:"Mandriva Linux Security Advisory : glibc (MDVSA-2010:112)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities was discovered and fixed in glibc :
    
    Multiple integer overflows in the strfmon implementation in the GNU C
    Library (aka glibc or libc6) 2.10.1 and earlier allow
    context-dependent attackers to cause a denial of service (memory
    consumption or application crash) via a crafted format string, as
    demonstrated by a crafted first argument to the money_format function
    in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880).
    
    nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7
    and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the
    passwd.adjunct.byname map to entries in the passwd map, which allows
    remote attackers to obtain the encrypted passwords of NIS accounts by
    calling the getpwnam function (CVE-2010-0015).
    
    The encode_name macro in misc/mntent_r.c in the GNU C Library (aka
    glibc or libc6) 2.11.1 and earlier, as used by ncpmount and
    mount.cifs, does not properly handle newline characters in mountpoint
    names, which allows local users to cause a denial of service (mtab
    corruption), or possibly modify mount options and gain privileges, via
    a crafted mount request (CVE-2010-0296).
    
    Integer signedness error in the elf_get_dynamic_info function in
    elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6)
    2.0.1 through 2.11.1, when the --verify option is used, allows
    user-assisted remote attackers to execute arbitrary code via a crafted
    ELF program with a negative value for a certain d_tag structure member
    in the ELF header (CVE-2010-0830).
    
    The updated packages have been patched to correct these issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-doc-pdf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-i18ndata");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2010.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/06/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-devel-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-doc-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-doc-pdf-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-i18ndata-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-profile-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-static-devel-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"glibc-utils-2.10.1-6.5mnb2")) flag++;
    if (rpm_check(release:"MDK2010.0", reference:"nscd-2.10.1-6.5mnb2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_GLIBC-7201.NASL
    descriptionSeveral security issues were fixed : - Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. (CVE-2010-3847) - The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. (CVE-2010-3856) - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) - Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called
    last seen2020-06-01
    modified2020-06-02
    plugin id50377
    published2010-10-28
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50377
    titleSuSE 10 Security Update : glibc (ZYPP Patch Number 7201)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50377);
      script_version ("1.13");
      script_cvs_date("Date: 2019/10/25 13:36:40");
    
      script_cve_id("CVE-2008-1391", "CVE-2010-0015", "CVE-2010-0296", "CVE-2010-0830", "CVE-2010-3847", "CVE-2010-3856");
    
      script_name(english:"SuSE 10 Security Update : glibc (ZYPP Patch Number 7201)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several security issues were fixed :
    
      - Decoding of the $ORIGIN special value in various LD_
        environment variables allowed local attackers to execute
        code in context of e.g. setuid root programs, elevating
        privileges. This issue does not affect SUSE as an
        assertion triggers before the respective code is
        executed. The bug was fixed nevertheless.
        (CVE-2010-3847)
    
      - The LD_AUDIT environment was not pruned during setuid
        root execution and could load shared libraries from
        standard system library paths. This could be used by
        local attackers to inject code into setuid root programs
        and so elevated privileges. (CVE-2010-3856)
    
      - Integer overflow causing arbitrary code execution in
        ld.so --verify mode could be induced by a specially
        crafted binary. (CVE-2010-0830)
    
      - The addmntent() function would not escape the newline
        character properly, allowing the user to insert
        arbitrary newlines to the /etc/mtab; if the addmntent()
        is run by a setuid mount binary that does not do extra
        input checking, this would allow custom entries to be
        inserted in /etc/mtab. (CVE-2010-0296)
    
      - The strfmon() function contains an integer overflow
        vulnerability in width specifiers handling that could be
        triggered by an attacker that can control the format
        string passed to strfmon(). (CVE-2008-1391)
    
      - Some setups (mainly Solaris-based legacy setups) include
        shadow information (password hashes) as so-called
        'adjunct passwd' table, mangling it with the rest of
        passwd columns instead of keeping it in the shadow
        table. Normally, Solaris will disclose this information
        only to clients bound to a priviledged port, but when
        nscd is deployed on the client, getpwnam() would
        disclose the password hashes to all users. New mode
        'adjunct as shadow' can now be enabled in
        /etc/default/nss that will move the password hashes from
        the world-readable passwd table to emulated shadow table
        (that is not cached by nscd). (CVE-2010-0015)
    
    Some invalid behavior, crashes and memory leaks were fixed :
    
      - nscd in the paranoia mode would crash on the periodic
        restart in case one of the databases was disabled in the
        nscd configuration.
    
      - When closing a widechar stdio stream, memory would
        sometimes be leaked.
    
      - memcpy() on power6 would errorneously use a 64-bit
        instruction within 32-bit code in certain corner cases.
    
      - jrand48() returns numbers in the wrong range on 64-bit
        systems: Instead of [-231, +231), the value was always
        positive and sometimes higher than the supposed upper
        bound.
    
      - Roughly every 300 days of uptime, the times() function
        would report an error for 4096 seconds, a side-effect of
        how system calls are implemented on i386. glibc was
        changed to never report an error and crash an
        application that would trigger EFAULT by kernel (because
        of invalid pointer passed to the times() syscall)
        before.
    
      - getifaddrs() would report infiniband interfaces with
        corrupted ifa_name structure field.
    
      - getgroups(-1) normally handles the invalid array size
        gracefully by setting EINVAL. However, a crash would be
        triggered in case the code was compiled using
        '-DFORTIFYSOURCE=2 -O2'.
    
      - Pthread cleanup handlers would not always be invoked on
        thread cancellation (e.g. in RPC code, but also in other
        parts of glibc that may hang outside of a syscall) -
        glibc is now compiled with
    
        -fasynchronous-unwind-tables. Some other minor issues
        were fixed :
    
      - There was a problem with sprof<->dlopen() interaction
        due to a missing flag in the internal dlopen() wrapper.
    
      - On x86_64, backtrace of a static destructor would stop
        in the _fini() glibc pseudo-routine, making it difficult
        to find out what originally triggered the program
        termination. The routine now has unwind information
        attached.
    
      - glibc-locale now better coexists with sap-locale on
        upgrades by regenerating the locale/gconv indexes
        properly."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-1391.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0015.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0296.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0830.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-3847.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-3856.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 7201.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(189, 255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/10/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:3, reference:"glibc-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, reference:"glibc-devel-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, reference:"glibc-html-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, reference:"glibc-i18ndata-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, reference:"glibc-info-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, reference:"glibc-locale-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, reference:"nscd-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, cpu:"x86_64", reference:"glibc-32bit-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, cpu:"x86_64", reference:"glibc-devel-32bit-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLED10", sp:3, cpu:"x86_64", reference:"glibc-locale-32bit-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-devel-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-html-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-i18ndata-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-info-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-locale-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"glibc-profile-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, reference:"nscd-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-32bit-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-devel-32bit-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-locale-32bit-2.4-31.77.76.1")) flag++;
    if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-profile-32bit-2.4-31.77.76.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_GLIBC-101025.NASL
    descriptionThis update of glibc fixes various bugs and security issues : - Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. (CVE-2010-3847) - The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. (CVE-2010-3856) - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) - Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called
    last seen2020-06-01
    modified2020-06-02
    plugin id50912
    published2010-12-02
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50912
    titleSuSE 11 / 11.1 Security Update : glibc (SAT Patch Numbers 3392 / 3393)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from SuSE 11 update information. The text itself is
    # copyright (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50912);
      script_version("1.14");
      script_cvs_date("Date: 2019/10/25 13:36:39");
    
      script_cve_id("CVE-2008-1391", "CVE-2010-0015", "CVE-2010-0296", "CVE-2010-0830", "CVE-2010-3847", "CVE-2010-3856");
    
      script_name(english:"SuSE 11 / 11.1 Security Update : glibc (SAT Patch Numbers 3392 / 3393)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 11 host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of glibc fixes various bugs and security issues :
    
      - Decoding of the $ORIGIN special value in various LD_
        environment variables allowed local attackers to execute
        code in context of e.g. setuid root programs, elevating
        privileges. This issue does not affect SUSE as an
        assertion triggers before the respective code is
        executed. The bug was fixed nevertheless.
        (CVE-2010-3847)
    
      - The LD_AUDIT environment was not pruned during setuid
        root execution and could load shared libraries from
        standard system library paths. This could be used by
        local attackers to inject code into setuid root programs
        and so elevated privileges. (CVE-2010-3856)
    
      - Integer overflow causing arbitrary code execution in
        ld.so --verify mode could be induced by a specially
        crafted binary. (CVE-2010-0830)
    
      - The addmntent() function would not escape the newline
        character properly, allowing the user to insert
        arbitrary newlines to the /etc/mtab; if the addmntent()
        is run by a setuid mount binary that does not do extra
        input checking, this would allow custom entries to be
        inserted in /etc/mtab. (CVE-2010-0296)
    
      - The strfmon() function contains an integer overflow
        vulnerability in width specifiers handling that could be
        triggered by an attacker that can control the format
        string passed to strfmon(). (CVE-2008-1391)
    
      - Some setups (mainly Solaris-based legacy setups) include
        shadow information (password hashes) as so-called
        'adjunct passwd' table, mangling it with the rest of
        passwd columns instead of keeping it in the shadow
        table. Normally, Solaris will disclose this information
        only to clients bound to a priviledged port, but when
        nscd is deployed on the client, getpwnam() would
        disclose the password hashes to all users. New mode
        'adjunct as shadow' can now be enabled in
        /etc/default/nss that will move the password hashes from
        the world-readable passwd table to emulated shadow table
        (that is not cached by nscd). (CVE-2010-0015)
    
    Some invalid behaviour, crashes and memory leaks were fixed :
    
      - statfs64() would not function properly on IA64 in ia32el
        emulation mode.
    
      - memcpy() and memset() on power6 would erroneously use a
        64-bit instruction within 32-bit code in certain corner
        cases.
    
      - nscd would not load /etc/host.conf properly before
        performing host resolution - most importantly, multi on
        in /etc/host.conf would be ignored when nscd was used,
        breaking e.g. resolving records in /etc/hosts where
        single name would point at multiple addresses
    
      - Removed mapping from lowercase sharp s to uppercase
        sharp S; uppercase S is not a standardly used letter and
        causes problems for ISO encodings.
    
    Some other minor issues were fixed :
    
      - glibc-locale now better coexists with sap-locale on
        upgrades by regenerating the locale/gconv indexes
        properly.
    
      - Ports 623 and 664 may not be allocated by RPC code
        automatically anymore since that may clash with ports
        used on some IPMI network cards.
    
      - On x86_64, backtrace of a static destructor would stop
        in the _fini() glibc pseudo-routine, making it difficult
        to find out what originally triggered the program
        termination. The routine now has unwind information
        attached."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=375315"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=445636"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=513961"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=534828"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=541773"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=569091"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=572188"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=585879"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=592941"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=594263"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=615556"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=646960"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-1391.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0015.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0296.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0830.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-3847.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-3856.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Apply SAT patch number 3392 / 3393 as appropriate."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(189, 255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-i18ndata");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-info");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-locale");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-locale-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-profile-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/10/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"glibc-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"glibc-devel-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"glibc-i18ndata-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"glibc-locale-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"nscd-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i686", reference:"glibc-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"i686", reference:"glibc-devel-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-devel-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-devel-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-i18ndata-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-locale-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-locale-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"nscd-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-devel-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-i18ndata-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-locale-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"nscd-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i686", reference:"glibc-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"i686", reference:"glibc-devel-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-devel-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-devel-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-i18ndata-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-locale-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-locale-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"nscd-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-devel-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-html-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-i18ndata-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-info-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-locale-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"glibc-profile-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, reference:"nscd-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"glibc-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"glibc-devel-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"glibc-locale-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"glibc-profile-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"glibc-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"glibc-devel-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"glibc-locale-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"glibc-profile-32bit-2.9-13.11.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-devel-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-html-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-i18ndata-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-info-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-locale-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"glibc-profile-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, reference:"nscd-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-devel-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-locale-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-profile-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-devel-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-locale-32bit-2.11.1-0.20.1")) flag++;
    if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-profile-32bit-2.11.1-0.20.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2010-111.NASL
    descriptionMultiple vulnerabilities was discovered and fixed in glibc : Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880). Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in the strfmon implementation in the GNU C Library (aka glibc or libc6) before 2.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted format string, as demonstrated by the %99999999999999999999n string, a related issue to CVE-2008-1391 (CVE-2009-4881). nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function (CVE-2010-0015). The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request (CVE-2010-0296). Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header (CVE-2010-0830). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4 90 The updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id46849
    published2010-06-09
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/46849
    titleMandriva Linux Security Advisory : glibc (MDVSA-2010:111)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2010:111. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(46849);
      script_version("1.12");
      script_cvs_date("Date: 2019/08/02 13:32:53");
    
      script_cve_id("CVE-2009-4880", "CVE-2009-4881", "CVE-2010-0015", "CVE-2010-0296", "CVE-2010-0830");
      script_bugtraq_id(36443, 37885, 40063);
      script_xref(name:"MDVSA", value:"2010:111");
    
      script_name(english:"Mandriva Linux Security Advisory : glibc (MDVSA-2010:111)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities was discovered and fixed in glibc :
    
    Multiple integer overflows in the strfmon implementation in the GNU C
    Library (aka glibc or libc6) 2.10.1 and earlier allow
    context-dependent attackers to cause a denial of service (memory
    consumption or application crash) via a crafted format string, as
    demonstrated by a crafted first argument to the money_format function
    in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880).
    
    Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in
    the strfmon implementation in the GNU C Library (aka glibc or libc6)
    before 2.10.1 allows context-dependent attackers to cause a denial of
    service (application crash) via a crafted format string, as
    demonstrated by the %99999999999999999999n string, a related issue to
    CVE-2008-1391 (CVE-2009-4881).
    
    nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7
    and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the
    passwd.adjunct.byname map to entries in the passwd map, which allows
    remote attackers to obtain the encrypted passwords of NIS accounts by
    calling the getpwnam function (CVE-2010-0015).
    
    The encode_name macro in misc/mntent_r.c in the GNU C Library (aka
    glibc or libc6) 2.11.1 and earlier, as used by ncpmount and
    mount.cifs, does not properly handle newline characters in mountpoint
    names, which allows local users to cause a denial of service (mtab
    corruption), or possibly modify mount options and gain privileges, via
    a crafted mount request (CVE-2010-0296).
    
    Integer signedness error in the elf_get_dynamic_info function in
    elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6)
    2.0.1 through 2.11.1, when the --verify option is used, allows
    user-assisted remote attackers to execute arbitrary code via a crafted
    ELF program with a negative value for a certain d_tag structure member
    in the ELF header (CVE-2010-0830).
    
    Packages for 2008.0 and 2009.0 are provided as of the Extended
    Maintenance Program. Please visit this link to learn more:
    http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4
    90
    
    The updated packages have been patched to correct these issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-doc-pdf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-i18ndata");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/06/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/06/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-devel-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-doc-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-doc-pdf-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-i18ndata-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-profile-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-static-devel-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"glibc-utils-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"nscd-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2009.0", reference:"glibc-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-devel-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-doc-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-doc-pdf-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-i18ndata-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-profile-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-static-devel-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"glibc-utils-2.8-1.20080520.5.5mnb2")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"nscd-2.8-1.20080520.5.5mnb2")) flag++;
    
    if (rpm_check(release:"MDK2009.1", reference:"glibc-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-devel-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-doc-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-doc-pdf-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-i18ndata-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-profile-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-static-devel-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"glibc-utils-2.9-0.20081113.5.1mnb2")) flag++;
    if (rpm_check(release:"MDK2009.1", reference:"nscd-2.9-0.20081113.5.1mnb2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_GLIBC-101027.NASL
    descriptionThis update of glibc fixes various bugs and security issues : CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. CVE-2010-0830: Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. CVE-2010-0296: The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. CVE-2008-1391: The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon().
    last seen2020-06-01
    modified2020-06-02
    plugin id50373
    published2010-10-28
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50373
    titleopenSUSE Security Update : glibc (openSUSE-SU-2010:0913-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update glibc-3400.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(50373);
      script_version("1.11");
      script_cvs_date("Date: 2019/10/25 13:36:38");
    
      script_cve_id("CVE-2008-1391", "CVE-2010-0296", "CVE-2010-0830", "CVE-2010-3847", "CVE-2010-3856");
    
      script_name(english:"openSUSE Security Update : glibc (openSUSE-SU-2010:0913-1)");
      script_summary(english:"Check for the glibc-3400 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of glibc fixes various bugs and security issues :
    
    CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_
    environment variables allowed local attackers to execute code in
    context of e.g. setuid root programs, elevating privileges. This issue
    does not affect SUSE as an assertion triggers before the respective
    code is executed. The bug was fixed nevertheless.
    
    CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid
    root execution and could load shared libraries from standard system
    library paths. This could be used by local attackers to inject code
    into setuid root programs and so elevated privileges.
    
    CVE-2010-0830: Integer overflow causing arbitrary code execution in
    ld.so
    
    --verify mode could be induced by a specially crafted binary.
    
    CVE-2010-0296: The addmntent() function would not escape the newline
    character properly, allowing the user to insert arbitrary newlines to
    the /etc/mtab; if the addmntent() is run by a setuid mount binary that
    does not do extra input checking, this would allow custom entries to
    be inserted in /etc/mtab.
    
    CVE-2008-1391: The strfmon() function contains an integer overflow
    vulnerability in width specifiers handling that could be triggered by
    an attacker that can control the format string passed to strfmon()."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=375315"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=572188"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=592941"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=594263"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=646960"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2010-10/msg00040.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected glibc packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-i18ndata");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-info");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-obsolete");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-profile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-profile-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nscd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/10/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.2", reference:"glibc-2.10.1-10.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"glibc-devel-2.10.1-10.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"glibc-html-2.10.1-10.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"glibc-i18ndata-2.10.1-10.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"glibc-info-2.10.1-10.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"glibc-locale-2.10.1-10.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"glibc-obsolete-2.10.1-10.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"glibc-profile-2.10.1-10.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"nscd-2.10.1-10.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"glibc-32bit-2.10.1-10.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"glibc-devel-32bit-2.10.1-10.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"glibc-locale-32bit-2.10.1-10.9.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"glibc-profile-32bit-2.10.1-10.9.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc");
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_5_6.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.6. Mac OS X 10.5.6 contains security fixes for the following products : - ATS - BOM - CoreGraphics - CoreServices - CoreTypes - Flash Player Plug-in - Kernel - Libsystem - Managed Client - network_cmds - Podcast Producer - UDF
    last seen2020-06-01
    modified2020-06-02
    plugin id35111
    published2008-12-16
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35111
    titleMac OS X 10.5.x < 10.5.6 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    if (!defined_func("bn_random")) exit(0);
    if (NASL_LEVEL < 3004) exit(0);
    
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(35111);
      script_version("1.21");
      script_cvs_date("Date: 2018/07/14  1:59:35");
    
      script_cve_id(
        "CVE-2008-1391", 
        "CVE-2008-3170", 
        "CVE-2008-3623", 
        "CVE-2008-4217", 
        "CVE-2008-4218",
        "CVE-2008-4219", 
        "CVE-2008-4220", 
        "CVE-2008-4221", 
        "CVE-2008-4222", 
        "CVE-2008-4223",
        "CVE-2008-4224", 
        "CVE-2008-4234", 
        "CVE-2008-4236", 
        "CVE-2008-4237", 
        "CVE-2008-4818",
        "CVE-2008-4819", 
        "CVE-2008-4820", 
        "CVE-2008-4821", 
        "CVE-2008-4822", 
        "CVE-2008-4823",
        "CVE-2008-4824"
      );
      script_bugtraq_id(
        28479, 
        30192, 
        32129, 
        32291, 
        32870, 
        32872, 
        32873, 
        32874, 
        32875, 
        32876, 
        32877, 
        32879, 
        32880, 
        32881
      );
    
      script_name(english:"Mac OS X 10.5.x < 10.5.6 Multiple Vulnerabilities");
      script_summary(english:"Check the version of Mac OS X");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a Mac OS X update that fixes various
    security issues." );
      script_set_attribute(attribute:"description", value:
    "The remote host is running a version of Mac OS X 10.5.x that is prior
    to 10.5.6. 
    
    Mac OS X 10.5.6 contains security fixes for the following products :
    
      - ATS
      - BOM
      - CoreGraphics
      - CoreServices
      - CoreTypes
      - Flash Player Plug-in
      - Kernel
      - Libsystem
      - Managed Client
      - network_cmds
      - Podcast Producer
      - UDF" );
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT3338" );
      script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Dec/msg00000.html" );
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Mac OS X 10.5.6 or later." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 79, 119, 189, 200, 264, 287, 399);
    
      script_set_attribute(attribute:"plugin_publication_date", value: "2008/12/16");
      script_set_attribute(attribute:"patch_publication_date", value: "2008/12/15");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
      script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
      script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
      exit(0);
    }
    
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os) os = get_kb_item("Host/OS");
    if (!os) exit(0);
    
    if (ereg(pattern:"Mac OS X 10\.5\.[0-5]([^0-9]|$)", string:os)) 
      security_hole(0);
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_12641.NASL
    descriptionSeveral security issues were fixed : - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) Also one non-security issue was fixed: - nscd in the paranoia mode would crash on the periodic restart in case one of the databases was disabled in the nscd configuration. In addition, the timezone information was updated to the level of 2010l, including the following changes : - Africa/Cairo (Egypt) and Asia/Gaza (Palestine) do not use daylight saving during the month of Ramadan in order to prevent Muslims from fasting one hour longer. http://www.timeanddate.com/news/time/egypt-ends-dst-2010 .html http://www.timeanddate.com/news/time/westbank-gaza-end-d st-2010.html - Africa/Casablanca (Marocco) has spent the period from May 2 to Aug 8 using daylight saving. Marocco adopted regular daylight saving, but the start and end dates vary every year. http://www.timeanddate.com/news/time/morocco-starts-dst- 2010.html - America/Argentina/San_Luis (Argentina region) local government did not terminate its DST period as planned and instead decided to extend its use of the UTC-3 time indefinitely. http://www.worldtimezone.com/dst_news/dst_news_argentina 08.html New zones : - America/Bahia_Banderas (Mexican state of Nayarit) has declared that it is to follow the UCT-6 time instead of UCT-7, with the aim to have the same time as the nearby city of Puerto Vallarta. http://www.worldtimezone.com/dst_news/dst_news_mexico08. html Historical changes : - Asia/Taipei information on DST usage listed 1980 as one year using DST, which should read 1979 instead according to government resources. - Europe/Helsinki, before switching to Central European standard DST in 1983, trialled DST for two years. However, the database omitted to specify that in these trials of 1981 and 1982, switches have been made one hour earlier than in 1983. Spelling changes in Micronesia: - Pacific/Truk has been renamed to Pacific/Chuuk in 1989. - Pacific/Ponape has been renamed to Pacific/Pohnpei in 1984.
    last seen2020-06-01
    modified2020-06-02
    plugin id49758
    published2010-10-06
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/49758
    titleSuSE9 Security Update : glibc (YOU Patch Number 12641)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(49758);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/25 13:36:37");
    
      script_cve_id("CVE-2008-1391", "CVE-2010-0296", "CVE-2010-0830");
    
      script_name(english:"SuSE9 Security Update : glibc (YOU Patch Number 12641)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 9 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several security issues were fixed :
    
      - Integer overflow causing arbitrary code execution in
        ld.so --verify mode could be induced by a specially
        crafted binary. (CVE-2010-0830)
    
      - The addmntent() function would not escape the newline
        character properly, allowing the user to insert
        arbitrary newlines to the /etc/mtab; if the addmntent()
        is run by a setuid mount binary that does not do extra
        input checking, this would allow custom entries to be
        inserted in /etc/mtab. (CVE-2010-0296)
    
      - The strfmon() function contains an integer overflow
        vulnerability in width specifiers handling that could be
        triggered by an attacker that can control the format
        string passed to strfmon(). (CVE-2008-1391)
    
    Also one non-security issue was fixed: - nscd in the paranoia mode
    would crash on the periodic restart in case one of the databases was
    disabled in the nscd configuration.
    
    In addition, the timezone information was updated to the level of
    2010l, including the following changes :
    
      - Africa/Cairo (Egypt) and Asia/Gaza (Palestine) do not
        use daylight saving during the month of Ramadan in order
        to prevent Muslims from fasting one hour longer.
        http://www.timeanddate.com/news/time/egypt-ends-dst-2010
        .html
        http://www.timeanddate.com/news/time/westbank-gaza-end-d
        st-2010.html
    
      - Africa/Casablanca (Marocco) has spent the period from
        May 2 to Aug 8 using daylight saving. Marocco adopted
        regular daylight saving, but the start and end dates
        vary every year.
        http://www.timeanddate.com/news/time/morocco-starts-dst-
        2010.html
    
      - America/Argentina/San_Luis (Argentina region) local
        government did not terminate its DST period as planned
        and instead decided to extend its use of the UTC-3 time
        indefinitely.
        http://www.worldtimezone.com/dst_news/dst_news_argentina
        08.html
    
    New zones :
    
      - America/Bahia_Banderas (Mexican state of Nayarit) has
        declared that it is to follow the UCT-6 time instead of
        UCT-7, with the aim to have the same time as the nearby
        city of Puerto Vallarta.
        http://www.worldtimezone.com/dst_news/dst_news_mexico08.
        html
    
    Historical changes :
    
      - Asia/Taipei information on DST usage listed 1980 as one
        year using DST, which should read 1979 instead according
        to government resources.
    
      - Europe/Helsinki, before switching to Central European
        standard DST in 1983, trialled DST for two years.
        However, the database omitted to specify that in these
        trials of 1981 and 1982, switches have been made one
        hour earlier than in 1983.
    
    Spelling changes in Micronesia: - Pacific/Truk has been renamed to
    Pacific/Chuuk in 1989. - Pacific/Ponape has been renamed to
    Pacific/Pohnpei in 1984."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-1391.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0296.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2010-0830.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12641.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/08/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SUSE9", reference:"glibc-2.3.3-98.114")) flag++;
    if (rpm_check(release:"SUSE9", reference:"glibc-devel-2.3.3-98.114")) flag++;
    if (rpm_check(release:"SUSE9", reference:"glibc-html-2.3.3-98.114")) flag++;
    if (rpm_check(release:"SUSE9", reference:"glibc-i18ndata-2.3.3-98.114")) flag++;
    if (rpm_check(release:"SUSE9", reference:"glibc-info-2.3.3-98.114")) flag++;
    if (rpm_check(release:"SUSE9", reference:"glibc-locale-2.3.3-98.114")) flag++;
    if (rpm_check(release:"SUSE9", reference:"glibc-profile-2.3.3-98.114")) flag++;
    if (rpm_check(release:"SUSE9", reference:"nscd-2.3.3-98.114")) flag++;
    if (rpm_check(release:"SUSE9", reference:"timezone-2.3.3-98.114")) flag++;
    if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"glibc-32bit-9-201008251911")) flag++;
    if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"glibc-devel-32bit-9-201008251304")) flag++;
    if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"glibc-locale-32bit-9-201008251304")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-944-1.NASL
    descriptionMaksymilian Arciemowicz discovered that the GNU C library did not correctly handle integer overflows in the strfmon function. If a user or automated system were tricked into processing a specially crafted format string, a remote attacker could crash applications, leading to a denial of service. (Ubuntu 10.04 was not affected.) (CVE-2008-1391) Jeff Layton and Dan Rosenberg discovered that the GNU C library did not correctly handle newlines in the mntent family of functions. If a local attacker were able to inject newlines into a mount entry through other vulnerable mount helpers, they could disrupt the system or possibly gain root privileges. (CVE-2010-0296) Dan Rosenberg discovered that the GNU C library did not correctly validate certain ELF program headers. If a user or automated system were tricked into verifying a specially crafted ELF program, a remote attacker could execute arbitrary code with user privileges. (CVE-2010-0830). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id46731
    published2010-05-26
    reporterUbuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/46731
    titleUbuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : glibc, eglibc vulnerabilities (USN-944-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_GLIBC-101026.NASL
    descriptionThis update of glibc fixes various bugs and security issues : CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. CVE-2010-0830: Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. CVE-2010-0296: The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. CVE-2008-1391: The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). CVE-2010-0015: Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called
    last seen2020-06-01
    modified2020-06-02
    plugin id50367
    published2010-10-28
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/50367
    titleopenSUSE Security Update : glibc (openSUSE-SU-2010:0914-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2058.NASL
    descriptionSeveral vulnerabilities have been discovered in the GNU C Library (aka glibc) and its derivatives. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-1391, CVE-2009-4880, CVE-2009-4881 Maksymilian Arciemowicz discovered that the GNU C library did not correctly handle integer overflows in the strfmon family of functions. If a user or automated system were tricked into processing a specially crafted format string, a remote attacker could crash applications, leading to a denial of service. - CVE-2010-0296 Jeff Layton and Dan Rosenberg discovered that the GNU C library did not correctly handle newlines in the mntent family of functions. If a local attacker were able to inject newlines into a mount entry through other vulnerable mount helpers, they could disrupt the system or possibly gain root privileges. - CVE-2010-0830 Dan Rosenberg discovered that the GNU C library did not correctly validate certain ELF program headers. If a user or automated system were tricked into verifying a specially crafted ELF program, a remote attacker could execute arbitrary code with user privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id46861
    published2010-06-11
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/46861
    titleDebian DSA-2058-1 : glibc, eglibc - multiple vulnerabilities
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2008-008.NASL
    descriptionThe remote host is running a version of Mac OS X 10.4 that does not have Security Update 2008-008 applied. This security update contains fixes for the following products : - BOM - CoreGraphics - CoreServices - Flash Player Plug-in - Libsystem - network_cmds - UDF
    last seen2020-06-01
    modified2020-06-02
    plugin id35110
    published2008-12-16
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35110
    titleMac OS X Multiple Vulnerabilities (Security Update 2008-008)

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 28479 CVE ID:CVE-2008-1391 CNCVE ID:CNCVE-20081391 多个BSD平台'strfmon()'函数处理存在整数溢出,可能以受影响应用程序上下文执行任意代码。失败的尝试可导致拒绝服务。 问题代码类似如下: #include &lt;monetary.h&gt; ssize_t strfmon(char * restrict s, size_t maxsize, const char * restrict format, ...); - --- 1. /usr/src/lib/libc/stdlib/strfmon.c -整数溢出 主要问题存在于strfmon()函数中,当以如下方法使用这个函数时: - ---example-start-- #include &lt;stdio.h&gt; #include &lt;monetary.h&gt; int main(int argc, char* argv[]){ char buff[51]; char *bux=buff; int res; res=strfmon(bux, 50, argv[1], &quot;0&quot;); return 0; } - ---example-end-- 并编译,可操作如下格式串: cxib# ./pln %99999999999999999999n Segmentation fault (core dumped) 问题如下: cxib# gdb -q pln (no debugging symbols found)...(gdb) r %99999999999999999999n Starting program: /cxib/C/pln %99999999999999999999n (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x2814e0e6 in memmove () from /lib/libc.so.7 (gdb) memmove()会重分配内存。 cxib# gdb -q pln (no debugging symbols found)...(gdb) r %.9999999999n Starting program: /cxib/C/pln %.9999999999n (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x2814f093 in abort () from /lib/libc.so.7 下个例子是: cxib# ./pln %#99999999999999999999n Long execution time. Let's try check this process : - -------------------------- cxib# ps -aux | grep pln cxib 1843 89.1 13.2 140320 119588 p2 R+ 4:29PM 0:09.68 ./pln %#99999999999999999999n cxib# ps -aux | grep pln cxib 1843 94.7 48.4 482336 438236 p2 R+ 4:29PM 1:54.07 ./pln %#99999999999999999999n 1 VSZ=140320 2 VSZ=482336 - ---------------------------- pln会分配更多的内存,PHP在money_format()函数中使用strfmon(),当我们在Apache中使用mod_php5,我们可以建立如下利用方法,结果如下: - ---apache-child-die--- swap_pager: out of swap space swap_pager_getswapspace(16): failed Mar 15 21:03:23 cxib kernel: pid 1210 (httpd), uid 80, was killed: out of swap space - ---apache-child-die--- NetBSD NetBSD 4.0 FreeBSD FreeBSD 6.0 .x FreeBSD FreeBSD 6.0 -STABLE FreeBSD FreeBSD 6.0 -RELEASE FreeBSD FreeBSD 7.0 BETA4 FreeBSD FreeBSD 7.0 -RELENG FreeBSD FreeBSD 7.0 -PRERELEASE FreeBSD FreeBSD 7.0 FreeBSD FreeBSD 6.0 -RELEASE-p5 可联系供应商获得补丁信息: <a href=http://www.netbsd.org/ target=_blank>http://www.netbsd.org/</a>
idSSV:3103
last seen2017-11-19
modified2008-03-29
published2008-03-29
reporterRoot
title多个BSD平台'strfmon()'函数整数溢出漏洞

Statements

contributorTomas Hoger
lastmodified2009-09-24
organizationRed Hat
statementRed Hat does not consider this to be a security issue. Properly written application should not use arbitrary untrusted data as part of the format string passed to functions as strfmon or printf family functions.

References