Vulnerabilities > CVE-2008-5983 - Untrusted Search Path vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging/Manipulating Configuration File Search Paths This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1596-1.NASL description It was discovered that Python would prepend an empty string to sys.path under certain circumstances. A local attacker with write access to the current working directory could exploit this to execute arbitrary code. (CVE-2008-5983) It was discovered that the audioop module did not correctly perform input validation. If a user or automated system were tricked into opening a crafted audio file, an attacker could cause a denial of service via application crash. (CVE-2010-1634, CVE-2010-2089) Giampaolo Rodola discovered several race conditions in the smtpd module. A remote attacker could exploit this to cause a denial of service via daemon outage. (CVE-2010-3493) It was discovered that the CGIHTTPServer module did not properly perform input validation on certain HTTP GET requests. A remote attacker could potentially obtain access to CGI script source files. (CVE-2011-1015) Niels Heinen discovered that the urllib and urllib2 modules would process Location headers that specify a redirection to file: URLs. A remote attacker could exploit this to obtain sensitive information or cause a denial of service. This issue only affected Ubuntu 11.04. (CVE-2011-1521) It was discovered that SimpleHTTPServer did not use a charset parameter in the Content-Type HTTP header. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 users. This issue only affected Ubuntu 11.04. (CVE-2011-4940) It was discovered that Python distutils contained a race condition when creating the ~/.pypirc file. A local attacker could exploit this to obtain sensitive information. (CVE-2011-4944) It was discovered that SimpleXMLRPCServer did not properly validate its input when handling HTTP POST requests. A remote attacker could exploit this to cause a denial of service via excessive CPU utilization. (CVE-2012-0845) It was discovered that Python was susceptible to hash algorithm attacks. An attacker could cause a denial of service under certian circumstances. This update adds the last seen 2020-06-01 modified 2020-06-02 plugin id 62436 published 2012-10-05 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62436 title Ubuntu 10.04 LTS / 11.04 / 11.10 : python2.6 vulnerabilities (USN-1596-1) NASL family Fedora Local Security Checks NASL id FEDORA_2010-9565.NASL description - Fri Jun 4 2010 David Malcolm <dmalcolm at redhat.com> - 2.6.2-8 - ensure that the compiler is invoked with last seen 2020-06-01 modified 2020-06-02 plugin id 47600 published 2010-07-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47600 title Fedora 12 : python-2.6.2-8.fc12 (2010-9565) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1613-2.NASL description USN-1613-1 fixed vulnerabilities in Python 2.5. This update provides the corresponding updates for Python 2.4. It was discovered that Python would prepend an empty string to sys.path under certain circumstances. A local attacker with write access to the current working directory could exploit this to execute arbitrary code. (CVE-2008-5983) It was discovered that the audioop module did not correctly perform input validation. If a user or automated system were tricked into opening a crafted audio file, an attacker could cause a denial of service via application crash. (CVE-2010-1634, CVE-2010-2089) Giampaolo Rodola discovered several race conditions in the smtpd module. A remote attacker could exploit this to cause a denial of service via daemon outage. (CVE-2010-3493) It was discovered that the CGIHTTPServer module did not properly perform input validation on certain HTTP GET requests. A remote attacker could potentially obtain access to CGI script source files. (CVE-2011-1015) Niels Heinen discovered that the urllib and urllib2 modules would process Location headers that specify a redirection to file: URLs. A remote attacker could exploit this to obtain sensitive information or cause a denial of service. (CVE-2011-1521) It was discovered that SimpleHTTPServer did not use a charset parameter in the Content-Type HTTP header. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 users. (CVE-2011-4940) It was discovered that Python distutils contained a race condition when creating the ~/.pypirc file. A local attacker could exploit this to obtain sensitive information. (CVE-2011-4944) It was discovered that SimpleXMLRPCServer did not properly validate its input when handling HTTP POST requests. A remote attacker could exploit this to cause a denial of service via excessive CPU utilization. (CVE-2012-0845) It was discovered that the Expat module in Python 2.5 computed hash values without restricting the ability to trigger hash collisions predictably. If a user or application using pyexpat were tricked into opening a crafted XML file, an attacker could cause a denial of service by consuming excessive CPU resources. (CVE-2012-0876) Tim Boddy discovered that the Expat module in Python 2.5 did not properly handle memory reallocation when processing XML files. If a user or application using pyexpat were tricked into opening a crafted XML file, an attacker could cause a denial of service by consuming excessive memory resources. (CVE-2012-1148). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 62620 published 2012-10-18 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62620 title Ubuntu 8.04 LTS : python2.4 vulnerabilities (USN-1613-2) NASL family Fedora Local Security Checks NASL id FEDORA_2010-9652.NASL description - Fri Jun 4 2010 David Malcolm <dmalcolm at redhat.com> - 2.6.4-27 - ensure that the compiler is invoked with last seen 2020-06-01 modified 2020-06-02 plugin id 47547 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47547 title Fedora 13 : python-2.6.4-27.fc13 (2010-9652) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0008_PYTHON.NASL description The remote NewStart CGSL host, running version MAIN 5.04, has python packages installed that are affected by multiple vulnerabilities: - Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows. (CVE-2007-4965) - Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5.2 and earlier might allow context- dependent attackers to defeat cryptographic digests, related to partial hashlib hashing of data exceeding 4GB. (CVE-2008-2316) - Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory. (CVE-2008-5983) - Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context- dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5. (CVE-2010-1634) - The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one- byte string, a different vulnerability than CVE-2010-1634. (CVE-2010-2089) - The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a last seen 2020-06-01 modified 2020-06-02 plugin id 127154 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127154 title NewStart CGSL MAIN 5.04 : python Multiple Vulnerabilities (NS-SA-2019-0008) NASL family Fedora Local Security Checks NASL id FEDORA_2010-13388.NASL description - Backport from F14: - Fix for lone surrogates, utf8 and certain encode error handlers. - Fix an incompatibility between pyexpat and the system expat-2.0.1 that led to a segfault running test_pyexpat.py (patch 110; upstream issue 9054; rhbz#610312) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 49107 published 2010-09-04 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49107 title Fedora 13 : python3-3.1.2-7.fc13 (2010-13388) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1613-1.NASL description It was discovered that Python would prepend an empty string to sys.path under certain circumstances. A local attacker with write access to the current working directory could exploit this to execute arbitrary code. (CVE-2008-5983) It was discovered that the audioop module did not correctly perform input validation. If a user or automated system were tricked into opening a crafted audio file, an attacker could cause a denial of service via application crash. (CVE-2010-1634, CVE-2010-2089) Giampaolo Rodola discovered several race conditions in the smtpd module. A remote attacker could exploit this to cause a denial of service via daemon outage. (CVE-2010-3493) It was discovered that the CGIHTTPServer module did not properly perform input validation on certain HTTP GET requests. A remote attacker could potentially obtain access to CGI script source files. (CVE-2011-1015) Niels Heinen discovered that the urllib and urllib2 modules would process Location headers that specify a redirection to file: URLs. A remote attacker could exploit this to obtain sensitive information or cause a denial of service. (CVE-2011-1521) It was discovered that SimpleHTTPServer did not use a charset parameter in the Content-Type HTTP header. An attacker could potentially exploit this to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 users. (CVE-2011-4940) It was discovered that Python distutils contained a race condition when creating the ~/.pypirc file. A local attacker could exploit this to obtain sensitive information. (CVE-2011-4944) It was discovered that SimpleXMLRPCServer did not properly validate its input when handling HTTP POST requests. A remote attacker could exploit this to cause a denial of service via excessive CPU utilization. (CVE-2012-0845) It was discovered that the Expat module in Python 2.5 computed hash values without restricting the ability to trigger hash collisions predictably. If a user or application using pyexpat were tricked into opening a crafted XML file, an attacker could cause a denial of service by consuming excessive CPU resources. (CVE-2012-0876) Tim Boddy discovered that the Expat module in Python 2.5 did not properly handle memory reallocation when processing XML files. If a user or application using pyexpat were tricked into opening a crafted XML file, an attacker could cause a denial of service by consuming excessive memory resources. (CVE-2012-1148). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 62619 published 2012-10-18 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62619 title Ubuntu 8.04 LTS : python2.5 vulnerabilities (USN-1613-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_E848A92F0E7D11DE92DE000BCDC1757A.NASL description CVE Mitre reports : Untrusted search path vulnerability in the Python interface in Epiphany 2.22.3, and possibly other versions, allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983). last seen 2020-06-01 modified 2020-06-02 plugin id 35910 published 2009-03-12 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35910 title FreeBSD : epiphany -- untrusted search path vulnerability (e848a92f-0e7d-11de-92de-000bcdc1757a) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1616-1.NASL description It was discovered that Python would prepend an empty string to sys.path under certain circumstances. A local attacker with write access to the current working directory could exploit this to execute arbitrary code. This issue only affected Ubuntu 10.04 LTS. (CVE-2008-5983) It was discovered that the audioop module did not correctly perform input validation. If a user or automated system were tricked into opening a crafted audio file, an attacker could cause a denial of service via application crash. These issues only affected Ubuntu 10.04 LTS. (CVE-2010-1634, CVE-2010-2089) It was discovered that Python distutils contained a race condition when creating the ~/.pypirc file. A local attacker could exploit this to obtain sensitive information. (CVE-2011-4944) It was discovered that SimpleXMLRPCServer did not properly validate its input when handling HTTP POST requests. A remote attacker could exploit this to cause a denial of service via excessive CPU utilization. (CVE-2012-0845) It was discovered that Python was susceptible to hash algorithm attacks. An attacker could cause a denial of service under certian circumstances. This update adds the last seen 2020-06-01 modified 2020-06-02 plugin id 62700 published 2012-10-25 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62700 title Ubuntu 10.04 LTS / 11.04 : python3.1 vulnerabilities (USN-1616-1) NASL family Fedora Local Security Checks NASL id FEDORA_2009-1295.NASL description - Fri Jan 30 2009 Huzaifa Sidhpurwala <huzaifas at redhat.com> 1:1.8.2-4 - Resolves CVE-2009-5983 - Version Bump Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 35596 published 2009-02-05 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35596 title Fedora 9 : gnumeric-1.8.2-4.fc9 (2009-1295) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-0027.NASL description Updated python packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Python is an interpreted, interactive, object-oriented programming language. It was found that many applications embedding the Python interpreter did not specify a valid full path to the script or application when calling the PySys_SetArgv API function, which could result in the addition of the current working directory to the module search path (sys.path). A local attacker able to trick a victim into running such an application in an attacker-controlled directory could use this flaw to execute code with the victim last seen 2020-06-01 modified 2020-06-02 plugin id 51524 published 2011-01-14 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51524 title RHEL 5 : python (RHSA-2011:0027) NASL family Scientific Linux Local Security Checks NASL id SL_20110113_PYTHON_ON_SL5_X.NASL description It was found that many applications embedding the Python interpreter did not specify a valid full path to the script or application when calling the PySys_SetArgv API function, which could result in the addition of the current working directory to the module search path (sys.path). A local attacker able to trick a victim into running such an application in an attacker-controlled directory could use this flaw to execute code with the victim last seen 2020-06-01 modified 2020-06-02 plugin id 60935 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60935 title Scientific Linux Security Update : python on SL5.x i386/x86_64 NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200903-41.NASL description The remote host is affected by the vulnerability described in GLSA-200903-41 (gedit: Untrusted search path) James Vega reported that gedit uses the current working directory when searching for python modules, a vulnerability related to CVE-2008-5983. Impact : A local attacker could entice a user to open gedit from a specially crafted environment, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. Workaround : Do not run gedit from untrusted working directories. last seen 2020-06-01 modified 2020-06-02 plugin id 36055 published 2009-03-31 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36055 title GLSA-200903-41 : gedit: Untrusted search path NASL family Fedora Local Security Checks NASL id FEDORA_2009-1289.NASL description - Fri Jan 30 2009 Huzaifa Sidhpurwala <huzaifas at redhat.com> 1:1.8.2-6 - Resolves CVE-2008-5983 - Version bump to match the rawhide version Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37680 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37680 title Fedora 10 : gnumeric-1.8.2-6.fc10 (2009-1289) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200904-06.NASL description The remote host is affected by the vulnerability described in GLSA-200904-06 (Eye of GNOME: Untrusted search path) James Vega reported an untrusted search path vulnerability in the GObject Python interpreter wrapper in the Eye of GNOME, a vulnerabiliy related to CVE-2008-5983. Impact : A local attacker could entice a user to run the Eye of GNOME from a directory containing a specially crafted python module, resulting in the execution of arbitrary code with the privileges of the user running the application. Workaround : Do not run last seen 2020-06-01 modified 2020-06-02 plugin id 36094 published 2009-04-07 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36094 title GLSA-200904-06 : Eye of GNOME: Untrusted search path
Redhat
| advisories |
| ||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 33444 CVE(CAN) ID: CVE-2009-0315 X-Chat是一款免费开放源代码的IRC客户端。 xchat的Python模块中使用了不可信任的搜索路径,本地用户可以在当前工作目录中放置恶意的Python文件并利用PySys_SetArgv函数调用中的安全漏洞(CVE-2008-5983)执行任意代码。 X-Chat X-Chat 2.8.7b X-Chat X-Chat 2.8.6 厂商补丁: X-Chat ------ 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href=http://www.xchat.org/ target=_blank rel=external nofollow>http://www.xchat.org/</a> |
| id | SSV:4870 |
| last seen | 2017-11-19 |
| modified | 2009-03-05 |
| published | 2009-03-05 |
| reporter | Root |
| title | XChat PySys_SetArgv函数命令执行漏洞 |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042751.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042751.html
- http://secunia.com/advisories/34522
- http://secunia.com/advisories/34522
- http://secunia.com/advisories/40194
- http://secunia.com/advisories/40194
- http://secunia.com/advisories/42888
- http://secunia.com/advisories/42888
- http://secunia.com/advisories/50858
- http://secunia.com/advisories/50858
- http://secunia.com/advisories/51024
- http://secunia.com/advisories/51024
- http://secunia.com/advisories/51040
- http://secunia.com/advisories/51040
- http://secunia.com/advisories/51087
- http://secunia.com/advisories/51087
- http://security.gentoo.org/glsa/glsa-200903-41.xml
- http://security.gentoo.org/glsa/glsa-200903-41.xml
- http://security.gentoo.org/glsa/glsa-200904-06.xml
- http://security.gentoo.org/glsa/glsa-200904-06.xml
- http://www.mail-archive.com/debian-bugs-dist%40lists.debian.org/msg586010.html
- http://www.mail-archive.com/debian-bugs-dist%40lists.debian.org/msg586010.html
- http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html
- http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html
- http://www.openwall.com/lists/oss-security/2009/01/26/2
- http://www.openwall.com/lists/oss-security/2009/01/26/2
- http://www.openwall.com/lists/oss-security/2009/01/28/5
- http://www.openwall.com/lists/oss-security/2009/01/28/5
- http://www.openwall.com/lists/oss-security/2009/01/30/2
- http://www.openwall.com/lists/oss-security/2009/01/30/2
- http://www.redhat.com/support/errata/RHSA-2011-0027.html
- http://www.redhat.com/support/errata/RHSA-2011-0027.html
- http://www.ubuntu.com/usn/USN-1596-1
- http://www.ubuntu.com/usn/USN-1596-1
- http://www.ubuntu.com/usn/USN-1613-1
- http://www.ubuntu.com/usn/USN-1613-1
- http://www.ubuntu.com/usn/USN-1613-2
- http://www.ubuntu.com/usn/USN-1613-2
- http://www.ubuntu.com/usn/USN-1616-1
- http://www.ubuntu.com/usn/USN-1616-1
- http://www.vupen.com/english/advisories/2010/1448
- http://www.vupen.com/english/advisories/2010/1448
- http://www.vupen.com/english/advisories/2011/0122
- http://www.vupen.com/english/advisories/2011/0122
- https://bugzilla.redhat.com/show_bug.cgi?id=482814
- https://bugzilla.redhat.com/show_bug.cgi?id=482814