Vulnerabilities > CVE-2009-4273 - Code Injection vulnerability in Systemtap
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Exploit-Db
| description | SystemTap 1.0 'stat-server' Remote Arbitrary Command Injection Vulnerability. CVE-2009-4273. Remote exploit for linux platform |
| id | EDB-ID:33535 |
| last seen | 2016-02-03 |
| modified | 2010-01-15 |
| published | 2010-01-15 |
| reporter | Frank Ch. Eigler |
| source | https://www.exploit-db.com/download/33535/ |
| title | SystemTap 1.0 - 'stat-server' Remote Arbitrary Command Injection Vulnerability |
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2010-0124.NASL description Updated systemtap packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A flaw was found in the SystemTap compile server, stap-server, an optional component of SystemTap. This server did not adequately sanitize input provided by the stap-client program, which may allow a remote user to execute arbitrary shell code with the privileges of the compile server process, which could possibly be running as the root user. (CVE-2009-4273) Note: stap-server is not run by default. It must be started by a user or administrator. A buffer overflow flaw was found in SystemTap last seen 2020-06-01 modified 2020-06-02 plugin id 44968 published 2010-03-04 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44968 title CentOS 5 : systemtap (CESA-2010:0124) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2010:0124 and # CentOS Errata and Security Advisory 2010:0124 respectively. # include("compat.inc"); if (description) { script_id(44968); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:05"); script_cve_id("CVE-2009-4273", "CVE-2010-0411"); script_xref(name:"RHSA", value:"2010:0124"); script_name(english:"CentOS 5 : systemtap (CESA-2010:0124)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated systemtap packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A flaw was found in the SystemTap compile server, stap-server, an optional component of SystemTap. This server did not adequately sanitize input provided by the stap-client program, which may allow a remote user to execute arbitrary shell code with the privileges of the compile server process, which could possibly be running as the root user. (CVE-2009-4273) Note: stap-server is not run by default. It must be started by a user or administrator. A buffer overflow flaw was found in SystemTap's tapset __get_argv() function. If a privileged user ran a SystemTap script that called this function, a local, unprivileged user could, while that script is still running, trigger this flaw and cause memory corruption by running a command with a large argument list, which may lead to a system crash or, potentially, arbitrary code execution with root privileges. (CVE-2010-0411) Note: SystemTap scripts that call __get_argv(), being a privileged function, can only be executed by the root user or users in the stapdev group. As well, if such a script was compiled and installed by root, users in the stapusr group would also be able to execute it. SystemTap users should upgrade to these updated packages, which contain backported patches to correct these issues." ); # https://lists.centos.org/pipermail/centos-announce/2010-March/016540.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f3db5478" ); # https://lists.centos.org/pipermail/centos-announce/2010-March/016541.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e093070f" ); script_set_attribute( attribute:"solution", value:"Update the affected systemtap packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(94, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap-initscript"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap-runtime"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap-sdt-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap-testsuite"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/01/26"); script_set_attribute(attribute:"patch_publication_date", value:"2010/03/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/03/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-5", reference:"systemtap-0.9.7-5.el5_4.3")) flag++; if (rpm_check(release:"CentOS-5", reference:"systemtap-client-0.9.7-5.el5_4.3")) flag++; if (rpm_check(release:"CentOS-5", reference:"systemtap-initscript-0.9.7-5.el5_4.3")) flag++; if (rpm_check(release:"CentOS-5", reference:"systemtap-runtime-0.9.7-5.el5_4.3")) flag++; if (rpm_check(release:"CentOS-5", reference:"systemtap-sdt-devel-0.9.7-5.el5_4.3")) flag++; if (rpm_check(release:"CentOS-5", reference:"systemtap-server-0.9.7-5.el5_4.3")) flag++; if (rpm_check(release:"CentOS-5", reference:"systemtap-testsuite-0.9.7-5.el5_4.3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "systemtap / systemtap-client / systemtap-initscript / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_11_2_SYSTEMTAP-100301.NASL description This updates systemtap to version 1.0. The version update was required to fix two issues; a shell meta.character injection vulnerability that allowed remote users to execute arbitrary commands () with the privileges of the stap-server. (CVE-2009-4273: CVSS v2 Base Score: 7.9 (important) (AV:A/AC:M/Au:N/C:C/I:C/A:C)) and a remote denial of service bug in the __get_argv() function (CVE-2010-0411: CVSS v2 Base Score: 4.9 (MEDIUM) (AV:L/AC:L/Au:N/C:N/I:N/A:C)). Version 1.0 is also subject to advisory CVE-2009-2911 fixing three denial of service issues when using unprivileged mode. last seen 2020-06-01 modified 2020-06-02 plugin id 46012 published 2010-04-27 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46012 title openSUSE Security Update : systemtap (openSUSE-SU-2010:0166-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0124.NASL description From Red Hat Security Advisory 2010:0124 : Updated systemtap packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A flaw was found in the SystemTap compile server, stap-server, an optional component of SystemTap. This server did not adequately sanitize input provided by the stap-client program, which may allow a remote user to execute arbitrary shell code with the privileges of the compile server process, which could possibly be running as the root user. (CVE-2009-4273) Note: stap-server is not run by default. It must be started by a user or administrator. A buffer overflow flaw was found in SystemTap last seen 2020-06-01 modified 2020-06-02 plugin id 68003 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68003 title Oracle Linux 5 : systemtap (ELSA-2010-0124) NASL family SuSE Local Security Checks NASL id SUSE_11_SYSTEMTAP-100623.NASL description This update of systemtab fixes a shell meta character injection vulnerability that allows remote users to execute arbitrary commands with the privileges of the stap-server. (CVE-2009-4273) Additionally, a remote denial of service bug in the _getargv() function has been fixed. (CVE-2010-0411) last seen 2020-06-01 modified 2020-06-02 plugin id 50961 published 2010-12-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50961 title SuSE 11 Security Update : systemtap (SAT Patch Number 2579) NASL family Fedora Local Security Checks NASL id FEDORA_2010-0671.NASL description Fixes CVE-2009-4273 (Bugzilla 550172): https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4273 New upstream release containing new features and bug fixes: better support for gcc 4.5 richer DWARF debuginfo, new preprocessor conditional for kernel last seen 2020-06-01 modified 2020-06-02 plugin id 47193 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47193 title Fedora 11 : systemtap-1.1-1.fc11 (2010-0671) NASL family Fedora Local Security Checks NASL id FEDORA_2010-1720.NASL description - Add systemtap-1.1-cfi-cfa_ops-fixes.patch - Resolves RHBZ #564429 - Add systemtap-1.1-get_argv.patch - Resolves CVE-2010-0411 - Add systemtap-1.1 -tighten-server-params.patch (excluding testsuite) - Resolves CVE-2010-0412, CVE-2009-4273 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47266 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47266 title Fedora 12 : systemtap-1.1-2.fc12 (2010-1720) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0124.NASL description Updated systemtap packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A flaw was found in the SystemTap compile server, stap-server, an optional component of SystemTap. This server did not adequately sanitize input provided by the stap-client program, which may allow a remote user to execute arbitrary shell code with the privileges of the compile server process, which could possibly be running as the root user. (CVE-2009-4273) Note: stap-server is not run by default. It must be started by a user or administrator. A buffer overflow flaw was found in SystemTap last seen 2020-06-01 modified 2020-06-02 plugin id 44956 published 2010-03-02 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44956 title RHEL 5 : systemtap (RHSA-2010:0124) NASL family Fedora Local Security Checks NASL id FEDORA_2010-1373.NASL description - Add systemtap-1.1-cfi-cfa_ops-fixes.patch - Resolves RHBZ #564429 - Add systemtap-1.1-get_argv.patch - Resolves CVE-2010-0411 - Add systemtap-1.1 -tighten-server-params.patch (excluding testsuite) - Resolves CVE-2010-0412, CVE-2009-4273 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47250 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47250 title Fedora 11 : systemtap-1.1-2.fc11 (2010-1373) NASL family Fedora Local Security Checks NASL id FEDORA_2010-0688.NASL description Fixes CVE-2009-4273 (Bugzilla 550172): https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-4273 New upstream release containing new features and bug fixes: better support for gcc 4.5 richer DWARF debuginfo, new preprocessor conditional for kernel last seen 2020-06-01 modified 2020-06-02 plugin id 47194 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47194 title Fedora 12 : systemtap-1.1-1.fc12 (2010-0688) NASL family Scientific Linux Local Security Checks NASL id SL_20100301_SYSTEMTAP_ON_SL5_X.NASL description CVE-2009-4273 systemtap: remote code execution via stap-server CVE-2010-0411 systemtap: Crash with systemtap script using __get_argv() A flaw was found in the SystemTap compile server, stap-server, an optional component of SystemTap. This server did not adequately sanitize input provided by the stap-client program, which may allow a remote user to execute arbitrary shell code with the privileges of the compile server process, which could possibly be running as the root user. (CVE-2009-4273) Note: stap-server is not run by default. It must be started by a user or administrator. A buffer overflow flaw was found in SystemTap last seen 2020-06-01 modified 2020-06-02 plugin id 60742 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60742 title Scientific Linux Security Update : systemtap on SL5.x i386/x86_64
Oval
| accepted | 2013-04-29T04:13:54.794-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:11417 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request. | ||||||||||||
| version | 18 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://sourceware.org/systemtap/ftp/releases/systemtap-1.1.tar.gz
- http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034041.html
- http://sourceware.org/ml/systemtap/2010-q1/msg00142.html
- http://sourceware.org/bugzilla/show_bug.cgi?id=11105
- https://bugzilla.redhat.com/show_bug.cgi?id=550172
- http://www.vupen.com/english/advisories/2010/0169
- http://secunia.com/advisories/38216
- http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034036.html
- http://secunia.com/advisories/38154
- http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035201.html
- http://lists.fedoraproject.org/pipermail/scm-commits/2010-February/394714.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035261.html
- http://www.redhat.com/support/errata/RHSA-2010-0124.html
- http://secunia.com/advisories/38765
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00006.html
- http://secunia.com/advisories/39656
- http://www.vupen.com/english/advisories/2010/1001
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11417