Vulnerabilities > CVE-2010-0411 - Numeric Errors vulnerability in Systemtap 1.1
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Multiple integer signedness errors in the (1) __get_argv and (2) __get_compat_argv functions in tapset/aux_syscalls.stp in SystemTap 1.1 allow local users to cause a denial of service (script crash, or system crash or hang) via a process with a large number of arguments, leading to a buffer overflow.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | SystemTap 1.0/1.1 '__get_argv()' and '__get_compat_argv()' Local Memory Corruption Vulnerabilities. CVE-2010-0411. Local exploit for linux platform |
| id | EDB-ID:33604 |
| last seen | 2016-02-03 |
| modified | 2010-02-05 |
| published | 2010-02-05 |
| reporter | Josh Stone |
| source | https://www.exploit-db.com/download/33604/ |
| title | SystemTap 1.0/1.1 - '__get_argv' and '__get_compat_argv' Local Memory Corruption Vulnerabilities |
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2010-0124.NASL description Updated systemtap packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A flaw was found in the SystemTap compile server, stap-server, an optional component of SystemTap. This server did not adequately sanitize input provided by the stap-client program, which may allow a remote user to execute arbitrary shell code with the privileges of the compile server process, which could possibly be running as the root user. (CVE-2009-4273) Note: stap-server is not run by default. It must be started by a user or administrator. A buffer overflow flaw was found in SystemTap last seen 2020-06-01 modified 2020-06-02 plugin id 44968 published 2010-03-04 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44968 title CentOS 5 : systemtap (CESA-2010:0124) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2010:0124 and # CentOS Errata and Security Advisory 2010:0124 respectively. # include("compat.inc"); if (description) { script_id(44968); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:05"); script_cve_id("CVE-2009-4273", "CVE-2010-0411"); script_xref(name:"RHSA", value:"2010:0124"); script_name(english:"CentOS 5 : systemtap (CESA-2010:0124)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated systemtap packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A flaw was found in the SystemTap compile server, stap-server, an optional component of SystemTap. This server did not adequately sanitize input provided by the stap-client program, which may allow a remote user to execute arbitrary shell code with the privileges of the compile server process, which could possibly be running as the root user. (CVE-2009-4273) Note: stap-server is not run by default. It must be started by a user or administrator. A buffer overflow flaw was found in SystemTap's tapset __get_argv() function. If a privileged user ran a SystemTap script that called this function, a local, unprivileged user could, while that script is still running, trigger this flaw and cause memory corruption by running a command with a large argument list, which may lead to a system crash or, potentially, arbitrary code execution with root privileges. (CVE-2010-0411) Note: SystemTap scripts that call __get_argv(), being a privileged function, can only be executed by the root user or users in the stapdev group. As well, if such a script was compiled and installed by root, users in the stapusr group would also be able to execute it. SystemTap users should upgrade to these updated packages, which contain backported patches to correct these issues." ); # https://lists.centos.org/pipermail/centos-announce/2010-March/016540.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f3db5478" ); # https://lists.centos.org/pipermail/centos-announce/2010-March/016541.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e093070f" ); script_set_attribute( attribute:"solution", value:"Update the affected systemtap packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(94, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap-initscript"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap-runtime"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap-sdt-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:systemtap-testsuite"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/01/26"); script_set_attribute(attribute:"patch_publication_date", value:"2010/03/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/03/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-5", reference:"systemtap-0.9.7-5.el5_4.3")) flag++; if (rpm_check(release:"CentOS-5", reference:"systemtap-client-0.9.7-5.el5_4.3")) flag++; if (rpm_check(release:"CentOS-5", reference:"systemtap-initscript-0.9.7-5.el5_4.3")) flag++; if (rpm_check(release:"CentOS-5", reference:"systemtap-runtime-0.9.7-5.el5_4.3")) flag++; if (rpm_check(release:"CentOS-5", reference:"systemtap-sdt-devel-0.9.7-5.el5_4.3")) flag++; if (rpm_check(release:"CentOS-5", reference:"systemtap-server-0.9.7-5.el5_4.3")) flag++; if (rpm_check(release:"CentOS-5", reference:"systemtap-testsuite-0.9.7-5.el5_4.3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "systemtap / systemtap-client / systemtap-initscript / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_11_2_SYSTEMTAP-100301.NASL description This updates systemtap to version 1.0. The version update was required to fix two issues; a shell meta.character injection vulnerability that allowed remote users to execute arbitrary commands () with the privileges of the stap-server. (CVE-2009-4273: CVSS v2 Base Score: 7.9 (important) (AV:A/AC:M/Au:N/C:C/I:C/A:C)) and a remote denial of service bug in the __get_argv() function (CVE-2010-0411: CVSS v2 Base Score: 4.9 (MEDIUM) (AV:L/AC:L/Au:N/C:N/I:N/A:C)). Version 1.0 is also subject to advisory CVE-2009-2911 fixing three denial of service issues when using unprivileged mode. last seen 2020-06-01 modified 2020-06-02 plugin id 46012 published 2010-04-27 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46012 title openSUSE Security Update : systemtap (openSUSE-SU-2010:0166-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0124.NASL description From Red Hat Security Advisory 2010:0124 : Updated systemtap packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A flaw was found in the SystemTap compile server, stap-server, an optional component of SystemTap. This server did not adequately sanitize input provided by the stap-client program, which may allow a remote user to execute arbitrary shell code with the privileges of the compile server process, which could possibly be running as the root user. (CVE-2009-4273) Note: stap-server is not run by default. It must be started by a user or administrator. A buffer overflow flaw was found in SystemTap last seen 2020-06-01 modified 2020-06-02 plugin id 68003 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68003 title Oracle Linux 5 : systemtap (ELSA-2010-0124) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2010-0125.NASL description Updated systemtap packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A buffer overflow flaw was found in SystemTap last seen 2020-06-01 modified 2020-06-02 plugin id 44962 published 2010-03-03 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44962 title CentOS 4 : systemtap (CESA-2010:0125) NASL family SuSE Local Security Checks NASL id SUSE_11_SYSTEMTAP-100623.NASL description This update of systemtab fixes a shell meta character injection vulnerability that allows remote users to execute arbitrary commands with the privileges of the stap-server. (CVE-2009-4273) Additionally, a remote denial of service bug in the _getargv() function has been fixed. (CVE-2010-0411) last seen 2020-06-01 modified 2020-06-02 plugin id 50961 published 2010-12-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50961 title SuSE 11 Security Update : systemtap (SAT Patch Number 2579) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0125.NASL description Updated systemtap packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A buffer overflow flaw was found in SystemTap last seen 2020-06-01 modified 2020-06-02 plugin id 44957 published 2010-03-02 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44957 title RHEL 4 : systemtap (RHSA-2010:0125) NASL family Fedora Local Security Checks NASL id FEDORA_2010-1720.NASL description - Add systemtap-1.1-cfi-cfa_ops-fixes.patch - Resolves RHBZ #564429 - Add systemtap-1.1-get_argv.patch - Resolves CVE-2010-0411 - Add systemtap-1.1 -tighten-server-params.patch (excluding testsuite) - Resolves CVE-2010-0412, CVE-2009-4273 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47266 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47266 title Fedora 12 : systemtap-1.1-2.fc12 (2010-1720) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0124.NASL description Updated systemtap packages that fix two security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A flaw was found in the SystemTap compile server, stap-server, an optional component of SystemTap. This server did not adequately sanitize input provided by the stap-client program, which may allow a remote user to execute arbitrary shell code with the privileges of the compile server process, which could possibly be running as the root user. (CVE-2009-4273) Note: stap-server is not run by default. It must be started by a user or administrator. A buffer overflow flaw was found in SystemTap last seen 2020-06-01 modified 2020-06-02 plugin id 44956 published 2010-03-02 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44956 title RHEL 5 : systemtap (RHSA-2010:0124) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0125.NASL description From Red Hat Security Advisory 2010:0125 : Updated systemtap packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. SystemTap is an instrumentation system for systems running the Linux kernel, version 2.6. Developers can write scripts to collect data on the operation of the system. A buffer overflow flaw was found in SystemTap last seen 2020-06-01 modified 2020-06-02 plugin id 68004 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68004 title Oracle Linux 4 : systemtap (ELSA-2010-0125) NASL family Fedora Local Security Checks NASL id FEDORA_2010-1373.NASL description - Add systemtap-1.1-cfi-cfa_ops-fixes.patch - Resolves RHBZ #564429 - Add systemtap-1.1-get_argv.patch - Resolves CVE-2010-0411 - Add systemtap-1.1 -tighten-server-params.patch (excluding testsuite) - Resolves CVE-2010-0412, CVE-2009-4273 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47250 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/47250 title Fedora 11 : systemtap-1.1-2.fc11 (2010-1373) NASL family Scientific Linux Local Security Checks NASL id SL_20100301_SYSTEMTAP_ON_SL4_X.NASL description CVE-2010-0411 systemtap: Crash with systemtap script using __get_argv() A buffer overflow flaw was found in SystemTap last seen 2020-06-01 modified 2020-06-02 plugin id 60741 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60741 title Scientific Linux Security Update : systemtap on SL4.x i386/x86_64 NASL family Scientific Linux Local Security Checks NASL id SL_20100301_SYSTEMTAP_ON_SL5_X.NASL description CVE-2009-4273 systemtap: remote code execution via stap-server CVE-2010-0411 systemtap: Crash with systemtap script using __get_argv() A flaw was found in the SystemTap compile server, stap-server, an optional component of SystemTap. This server did not adequately sanitize input provided by the stap-client program, which may allow a remote user to execute arbitrary shell code with the privileges of the compile server process, which could possibly be running as the root user. (CVE-2009-4273) Note: stap-server is not run by default. It must be started by a user or administrator. A buffer overflow flaw was found in SystemTap last seen 2020-06-01 modified 2020-06-02 plugin id 60742 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60742 title Scientific Linux Security Update : systemtap on SL5.x i386/x86_64
Oval
| accepted | 2013-04-29T04:21:15.130-04:00 | ||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||
| description | Multiple integer signedness errors in the (1) __get_argv and (2) __get_compat_argv functions in tapset/aux_syscalls.stp in SystemTap 1.1 allow local users to cause a denial of service (script crash, or system crash or hang) via a process with a large number of arguments, leading to a buffer overflow. | ||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:9675 | ||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||
| title | Multiple integer signedness errors in the (1) __get_argv and (2) __get_compat_argv functions in tapset/aux_syscalls.stp in SystemTap 1.1 allow local users to cause a denial of service (script crash, or system crash or hang) via a process with a large number of arguments, leading to a buffer overflow. | ||||||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://secunia.com/advisories/38426
- http://marc.info/?l=oss-security&m=126530657715364&w=2
- http://www.securityfocus.com/bid/38120
- https://bugzilla.redhat.com/show_bug.cgi?id=559719
- http://sourceware.org/bugzilla/show_bug.cgi?id=11234
- http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035201.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035261.html
- http://secunia.com/advisories/38680
- http://www.redhat.com/support/errata/RHSA-2010-0125.html
- http://secunia.com/advisories/38817
- http://www.redhat.com/support/errata/RHSA-2010-0124.html
- http://secunia.com/advisories/38765
- http://securitytracker.com/id?1023664
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00006.html
- http://www.vupen.com/english/advisories/2010/1001
- http://secunia.com/advisories/39656
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9675
- http://sourceware.org/git/gitweb.cgi?p=systemtap.git%3Ba=commit%3Bh=a2d399c87a642190f08ede63dc6fc434a5a8363a