Uudecode performs inadequate checks on user-specified output files

2002-07-15T00:00:00
ID VU:336083
Type cert
Reporter CERT
Modified 2002-12-13T00:00:00

Description

Overview

The uudecode utility contains a vulnerability that allows an attacker to overwrite arbitrary files, symbolic links, and named pipes.

Description

The uudecode utility is used to decode files that have been encoded in the 7-bit printable format generated by uuencode. This format allows for the specification of a desired output file name, which may also contain an absolute or relative path. Some implementations of uudecode fail to check the specified file name or its type before writing, so it is possible for uudecode to overwrite existing files, including regular files, symbolic links, and named pipes.

If an attacker can convince a user to invoke uudecode on a malicious file without reviewing the included file name, the attacker can cause the user to overwrite any file accessible by the user. If the victim user has root privileges, the attacker can exploit this vulnerability to overwrite arbitrary files. With respect to symbolic links and named pipes, attackers who exploit this vulnerability can alter the normal operation of system scripts and running processes, significantly increasing the risk of system compromise.

This vulnerability was first discovered in the uudecode implementation included with the GNU Sharutils package, but may be present in other implementations as well. For more information on GNU Sharutils, please see http://www.gnu.org/directory/sharutils.html.


Impact

Attackers can convince users to overwrite arbitrary files, symbolic links, and named pipes. This ability can be leveraged to gather information, destroy system and user data, and gain control of vulnerable hosts.


Solution

Apply a patch from your vendor

Please see the vendor section of this document for information on obtaining patches.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Cray Inc.| | 15 Jul 2002| 19 Aug 2002
Debian| | 15 Jul 2002| 19 Aug 2002
Gentoo Linux| | 30 Oct 2002| 13 Dec 2002
GNU Sharutils| | -| 15 Jul 2002
Hewlett-Packard Company| | 15 Jul 2002| 13 Dec 2002
Internet Security Systems Inc.| | 19 Aug 2002| 19 Aug 2002
MandrakeSoft| | 15 Jul 2002| 19 Aug 2002
Red Hat Inc.| | 16 Apr 2002| 16 Jul 2002
Sun Microsystems Inc.| | 15 Jul 2002| 19 Aug 2002
The SCO Group (SCO Linux)| | 15 Jul 2002| 13 Dec 2002
The SCO Group (SCO UnixWare)| | 15 Jul 2002| 13 Dec 2002
Fujitsu| | 15 Jul 2002| 19 Aug 2002
Apple Computer Inc.| | 15 Jul 2002| 16 Jul 2002
BSDI| | 15 Jul 2002| 16 Jul 2002
Compaq Computer Corporation| | 15 Jul 2002| 16 Jul 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

Credit

This vulnerability was discovered by AERAsec.

This document was written by Jeffrey P. Lanza.

Other Information

  • CVE IDs: CAN-2002-0178
  • Date Public: 16 Apr 2002
  • Date First Published: 15 Jul 2002
  • Date Last Updated: 13 Dec 2002
  • Severity Metric: 9.41
  • Document Revision: 28