Vulnerabilities > CVE-2008-1926 - Code Injection vulnerability in Linux Util-Linux
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-0981.NASL description An updated util-linux package that fixes one security issue and several bugs is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The util-linux package contains a collection of basic system utilities, such as fdisk and mount. A log injection attack was found in util-linux when logging log in attempts via the audit subsystem of the Linux kernel. A remote attacker could use this flaw to modify certain parts of logged events, possibly hiding their activities on a system. (CVE-2008-1926) This updated package also fixes the following bugs : * partitions created by VMware ESX(tm) were not included in the list of recognized file systems used by fdisk. Consequently, if VMware ESX was installed, last seen 2020-06-01 modified 2020-06-02 plugin id 67065 published 2013-06-29 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67065 title CentOS 4 : util-linux (CESA-2009:0981) NASL family Fedora Local Security Checks NASL id FEDORA_2008-3419.NASL description - Tue Apr 22 2008 Karel Zak <kzak at redhat.com> 2.13.1-2 - fix audit log injection attack via login - Wed Jan 16 2008 Karel Zak <kzak at redhat.com> 2.13.1-1 - upgrade to stable util-linux-ng 2.13.1 - fix #427874 - util-linux-ng gets last seen 2020-06-01 modified 2020-06-02 plugin id 32108 published 2008-05-01 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32108 title Fedora 8 : util-linux-ng-2.13.1-2.fc8 (2008-3419) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-0981.NASL description An updated util-linux package that fixes one security issue and several bugs is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The util-linux package contains a collection of basic system utilities, such as fdisk and mount. A log injection attack was found in util-linux when logging log in attempts via the audit subsystem of the Linux kernel. A remote attacker could use this flaw to modify certain parts of logged events, possibly hiding their activities on a system. (CVE-2008-1926) This updated package also fixes the following bugs : * partitions created by VMware ESX(tm) were not included in the list of recognized file systems used by fdisk. Consequently, if VMware ESX was installed, last seen 2020-06-01 modified 2020-06-02 plugin id 38817 published 2009-05-19 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38817 title RHEL 4 : util-linux (RHSA-2009:0981) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-114.NASL description Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events. The updated packages have been patched to fix the issue. last seen 2020-06-01 modified 2020-06-02 plugin id 36569 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36569 title Mandriva Linux Security Advisory : util-linux-ng (MDVSA-2008:114)
Oval
| accepted | 2013-04-29T04:22:37.269-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection." | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:9833 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection." | ||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 28983 CVE(CAN) ID: CVE-2008-1926 util-linux-ng是增强版本的Util-linux软件包,包含有多种linux工具和应用。 util-linux-ng软件包的login.c在记录登录尝试时存在参数注入漏洞,远程攻击者可以在登录名称中添加addr=语句在审计日志中修改部分日志事件,从而隐藏其登录尝试等行为。 Karel Zak util-linux-ng < 2.13.1.1 Karel Zak --------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=ftp://ftp.kernel.org/pub/linux/utils/util-linux-ng/v2.13 target=_blank>ftp://ftp.kernel.org/pub/linux/utils/util-linux-ng/v2.13</a> |
| id | SSV:3244 |
| last seen | 2017-11-19 |
| modified | 2008-04-30 |
| published | 2008-04-30 |
| reporter | Root |
| title | util-linux-ng登录远程日志注入漏洞 |
Statements
| contributor | Mark J Cox |
| lastmodified | 2009-05-18 |
| organization | Red Hat |
| statement | Red Hat is aware of this issue affecting Red Hat Enterprise Linux 5 and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1926 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. This issue has been addressed in Red Hat Enterprise Linux 4 with the following update: https://rhn.redhat.com/errata/RHSA-2009-0981.html |
References
- https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00624.html
- http://www.securityfocus.com/bid/28983
- http://secunia.com/advisories/29982
- http://secunia.com/advisories/30014
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:114
- http://www.redhat.com/support/errata/RHSA-2009-0981.html
- http://www.securitytracker.com/id?1022256
- http://secunia.com/advisories/35161
- http://wiki.rpath.com/Advisories:rPSA-2009-0143
- http://www.vupen.com/english/advisories/2008/1392/references
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41987
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9833
- http://www.securityfocus.com/archive/1/507854/100/0/threaded
- http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git%3Ba=blobdiff%3Bf=login-utils/login.c%3Bh=230121316d953c59e7842c1325f6e9f326a37608%3Bhp=aad27794327c60391b5148b367d2c79338fc6ee4%3Bhb=8ccf0b253ac0f4f58d64bc9674de18bff5a88782%3Bhpb=3a4a13b12a8065b0b5354686d2807cce421a9973
- http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git%3Ba=commit%3Bh=8ccf0b253ac0f4f58d64bc9674de18bff5a88782