Vulnerabilities > CVE-2008-4865 - Local Security vulnerability in Valgrind
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Untrusted search path vulnerability in valgrind before 3.4.0 allows local users to execute arbitrary programs via a Trojan horse .valgrindrc file in the current working directory, as demonstrated using a malicious --db-command options. NOTE: the severity of this issue has been disputed, but CVE is including this issue because execution of a program from an untrusted directory is a common scenario.
Vulnerable Configurations
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_VALGRIND-5809.NASL description valgrind reads a file .valgrindrc in the current directory. Therefore local users could place such a file a world-writable directory such as /tmp and influence other users last seen 2020-06-01 modified 2020-06-02 plugin id 34989 published 2008-12-01 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34989 title openSUSE 10 Security Update : valgrind (valgrind-5809) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update valgrind-5809. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(34989); script_version ("1.8"); script_cvs_date("Date: 2019/10/25 13:36:33"); script_cve_id("CVE-2008-4865"); script_name(english:"openSUSE 10 Security Update : valgrind (valgrind-5809)"); script_summary(english:"Check for the valgrind-5809 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "valgrind reads a file .valgrindrc in the current directory. Therefore local users could place such a file a world-writable directory such as /tmp and influence other users' valgrind when it's executed there (CVE-2008-4865)." ); script_set_attribute( attribute:"solution", value:"Update the affected valgrind packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:valgrind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:valgrind-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.2|SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.2 / 10.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.2", reference:"valgrind-3.2.3-17.3") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"valgrind-3.2.3-57.2") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"valgrind-devel-3.2.3-57.2") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "valgrind / valgrind-devel"); }NASL family SuSE Local Security Checks NASL id SUSE_VALGRIND-5803.NASL description valgrind reads a file .valgrindrc in the current directory. Therefore local users could place such a file a world-writable directory such as /tmp and influence other users last seen 2020-06-01 modified 2020-06-02 plugin id 51763 published 2011-01-27 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51763 title SuSE 10 Security Update : valgrind (ZYPP Patch Number 5803) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(51763); script_version ("1.6"); script_cvs_date("Date: 2019/10/25 13:36:33"); script_cve_id("CVE-2008-4865"); script_name(english:"SuSE 10 Security Update : valgrind (ZYPP Patch Number 5803)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "valgrind reads a file .valgrindrc in the current directory. Therefore local users could place such a file a world-writable directory such as /tmp and influence other users' valgrind when it's executed there. (CVE-2008-4865)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2008-4865.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 5803."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/01/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:2, reference:"valgrind-3.3.0-15.5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-057.NASL description A vulnerability has been identified and corrected in valgrind : Untrusted search path vulnerability in valgrind before 3.4.0 allows local users to execute arbitrary programs via a Trojan horse .valgrindrc file in the current working directory, as demonstrated using a malicious --db-command options. NOTE: the severity of this issue has been disputed, but CVE is including this issue because execution of a program from an untrusted directory is a common scenario. (CVE-2008-4865) The updated packages have been patched to prevent this. last seen 2020-06-01 modified 2020-06-02 plugin id 38051 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38051 title Mandriva Linux Security Advisory : valgrind (MDVSA-2009:057) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2009:057. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(38051); script_version ("1.11"); script_cvs_date("Date: 2019/08/02 13:32:51"); script_cve_id("CVE-2008-4865"); script_xref(name:"MDVSA", value:"2009:057"); script_name(english:"Mandriva Linux Security Advisory : valgrind (MDVSA-2009:057)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandriva Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "A vulnerability has been identified and corrected in valgrind : Untrusted search path vulnerability in valgrind before 3.4.0 allows local users to execute arbitrary programs via a Trojan horse .valgrindrc file in the current working directory, as demonstrated using a malicious --db-command options. NOTE: the severity of this issue has been disputed, but CVE is including this issue because execution of a program from an untrusted directory is a common scenario. (CVE-2008-4865) The updated packages have been patched to prevent this." ); script_set_attribute( attribute:"solution", value:"Update the affected valgrind package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:valgrind"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.0", reference:"valgrind-3.2.3-2.2mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"valgrind-3.3.0-3.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"valgrind-3.3.1-2.1mdv2009.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200902-03.NASL description The remote host is affected by the vulnerability described in GLSA-200902-03 (Valgrind: Untrusted search path) Tavis Ormandy reported that Valgrind loads a .valgrindrc file in the current working directory, executing commands specified there. Impact : A local attacker could prepare a specially crafted .valgrindrc file and entice a user to run Valgrind from the directory containing that file, resulting in the execution of arbitrary code with the privileges of the user running Valgrind. Workaround : Do not run last seen 2020-06-01 modified 2020-06-02 plugin id 35674 published 2009-02-13 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35674 title GLSA-200902-03 : Valgrind: Untrusted search path code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200902-03. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(35674); script_version("1.9"); script_cvs_date("Date: 2019/08/02 13:32:45"); script_cve_id("CVE-2008-4865"); script_xref(name:"GLSA", value:"200902-03"); script_name(english:"GLSA-200902-03 : Valgrind: Untrusted search path"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200902-03 (Valgrind: Untrusted search path) Tavis Ormandy reported that Valgrind loads a .valgrindrc file in the current working directory, executing commands specified there. Impact : A local attacker could prepare a specially crafted .valgrindrc file and entice a user to run Valgrind from the directory containing that file, resulting in the execution of arbitrary code with the privileges of the user running Valgrind. Workaround : Do not run 'valgrind' from untrusted working directories." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200902-03" ); script_set_attribute( attribute:"solution", value: "All Valgrind users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-util/valgrind-3.4.0'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:valgrind"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/02/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/02/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-util/valgrind", unaffected:make_list("ge 3.4.0"), vulnerable:make_list("lt 3.4.0"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Valgrind"); }NASL family SuSE Local Security Checks NASL id SUSE_11_0_VALGRIND-081121.NASL description valgrind reads a file .valgrindrc in the current directory. Therefore local users could place such a file a world-writable directory such as /tmp and influence other users last seen 2020-06-01 modified 2020-06-02 plugin id 40146 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40146 title openSUSE Security Update : valgrind (valgrind-321) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update valgrind-321. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(40146); script_version("1.10"); script_cvs_date("Date: 2019/10/25 13:36:31"); script_cve_id("CVE-2008-4865"); script_name(english:"openSUSE Security Update : valgrind (valgrind-321)"); script_summary(english:"Check for the valgrind-321 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "valgrind reads a file .valgrindrc in the current directory. Therefore local users could place such a file a world-writable directory such as /tmp and influence other users' valgrind when it's executed there (CVE-2008-4865)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=445013" ); script_set_attribute( attribute:"solution", value:"Update the affected valgrind packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:valgrind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:valgrind-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.0", reference:"valgrind-3.3.0-43.2") ) flag++; if ( rpm_check(release:"SUSE11.0", reference:"valgrind-devel-3.3.0-43.2") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "valgrind / valgrind-devel"); }
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Statements
| contributor | Tomas Hoger |
| lastmodified | 2009-02-05 |
| organization | Red Hat |
| statement | Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-4865 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ |
References
- http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00004.html
- http://secunia.com/advisories/33568
- http://security.gentoo.org/glsa/glsa-200902-03.xml
- http://sourceforge.net/mailarchive/forum.php?thread_name=200901032045.17604.jseward%40acm.org&forum_name=valgrind-announce
- http://www.openwall.com/lists/oss-security/2008/10/27/4
- http://www.openwall.com/lists/oss-security/2008/10/28/5
- http://www.openwall.com/lists/oss-security/2008/10/29/5
- http://www.openwall.com/lists/oss-security/2008/10/29/9