ID CVE-2004-1167 Type cve Reporter NVD Modified 2017-07-10T21:30:47
Description
mirrorselect before 0.89 creates temporary files in a world-writable location with predictable file names, which allows remote attackers to overwrite arbitrary files via a symlink attack.
{"openvas": [{"lastseen": "2017-07-24T12:50:17", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 200412-05.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=54764", "id": "OPENVAS:54764", "title": "Gentoo Security Advisory GLSA 200412-05 (mirrorselect)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"mirrorselect is vulnerable to symlink attacks, potentially allowing a local\nuser to overwrite arbitrary files.\";\ntag_solution = \"All mirrorselect users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-portage/mirrorselect-0.89'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200412-05\nhttp://bugs.gentoo.org/show_bug.cgi?id=73545\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200412-05.\";\n\n \n\nif(description)\n{\n script_id(54764);\n script_cve_id(\"CVE-2004-1167\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_name(\"Gentoo Security Advisory GLSA 200412-05 (mirrorselect)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"app-portage/mirrorselect\", unaffected: make_list(\"ge 0.89\"), vulnerable: make_list(\"lt 0.89\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:02", "bulletinFamily": "unix", "description": "### Background\n\nmirrorselect is a tool to help select distfiles mirrors for Gentoo. \n\n### Description\n\nErvin Nemeth discovered that mirrorselect creates temporary files in world-writable directories with predictable names. \n\n### Impact\n\nA local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When mirrorselect is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll mirrorselect users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-portage/mirrorselect-0.89\"", "modified": "2006-05-22T00:00:00", "published": "2004-12-07T00:00:00", "id": "GLSA-200412-05", "href": "https://security.gentoo.org/glsa/200412-05", "type": "gentoo", "title": "mirrorselect: Insecure temporary file creation", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:07", "bulletinFamily": "software", "description": "## Vulnerability Description\nGentoo mirrorselect contains a flaw that may allow a malicious user to overwrite arbitrary files using symlink attacks. The issue is triggered when mirrorselect is executed and it overwritten the file with the user running mirror select permissions. It is possible that the flaw may allow arbitrary files being overwritten resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 0.89 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nGentoo mirrorselect contains a flaw that may allow a malicious user to overwrite arbitrary files using symlink attacks. The issue is triggered when mirrorselect is executed and it overwritten the file with the user running mirror select permissions. It is possible that the flaw may allow arbitrary files being overwritten resulting in a loss of integrity.\n## References:\nVendor Specific News/Changelog Entry: http://bugs.gentoo.org/show_bug.cgi?id=73545\nSecurity Tracker: 1012450\n[Secunia Advisory ID:13392](https://secuniaresearch.flexerasoftware.com/advisories/13392/)\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200412-05.xml\n[CVE-2004-1167](https://vulners.com/cve/CVE-2004-1167)\n", "modified": "2004-12-07T08:31:08", "published": "2004-12-07T08:31:08", "href": "https://vulners.com/osvdb/OSVDB:12254", "id": "OSVDB:12254", "type": "osvdb", "title": "Gentoo mirrorselect Symlink Arbitrary File Overwrite", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:17", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-200412-05 (mirrorselect: Insecure temporary file creation)\n\n Ervin Nemeth discovered that mirrorselect creates temporary files in world-writable directories with predictable names.\n Impact :\n\n A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When mirrorselect is executed, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user.\n Workaround :\n\n There is no known workaround at this time.", "modified": "2018-08-10T00:00:00", "id": "GENTOO_GLSA-200412-05.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=15922", "published": "2004-12-07T00:00:00", "title": "GLSA-200412-05 : mirrorselect: Insecure temporary file creation", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200412-05.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15922);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/08/10 18:07:05\");\n\n script_cve_id(\"CVE-2004-1167\");\n script_xref(name:\"GLSA\", value:\"200412-05\");\n\n script_name(english:\"GLSA-200412-05 : mirrorselect: Insecure temporary file creation\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200412-05\n(mirrorselect: Insecure temporary file creation)\n\n Ervin Nemeth discovered that mirrorselect creates temporary files in\n world-writable directories with predictable names.\n \nImpact :\n\n A local attacker could create symbolic links in the temporary files\n directory, pointing to a valid file somewhere on the filesystem. When\n mirrorselect is executed, this would result in the file being\n overwritten with the rights of the user running the utility, which\n could be the root user.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200412-05\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All mirrorselect users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-portage/mirrorselect-0.89'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:mirrorselect\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/12/07\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/12/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-portage/mirrorselect\", unaffected:make_list(\"ge 0.89\"), vulnerable:make_list(\"lt 0.89\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mirrorselect\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}
