ID DSA-079 Type debian Reporter Debian Modified 2002-02-08T00:00:00
Description
Zenith Parsec discovered a security hole in Taylor UUCP 1.06.1. It permits a local user to copy any file to anywhere which is writable by the uucp uid, which effectively means that a local user can completely subvert the UUCP subsystem, including stealing mail, etc.
If a remote user with UUCP access is able to create files on the local system, and can successfully make certain guesses about the local directory structure layout, then the remote user can also subvert the UUCP system. A default installation of UUCP will permit a remote user to create files on the local system if the UUCP public directory has been created with world write permissions.
Obviously this security hole is serious for anybody who uses UUCP on a multi-user system with untrusted users, or anybody who uses UUCP and permits connections from untrusted remote systems.
It was thought that this problem has been fixed with DSA 079-1, but that didn't fix all variations of the problem. The problem is fixed in version 1.06.1-11potato2 of uucp which uses a patch from the upstream author Ian Lance Taylor.
We recommend that you upgrade your uucp package immediately.
{"title": "uucp -- uucp uid/gid access", "reporter": "Debian", "lastseen": "2016-09-02T18:26:58", "history": [], "modified": "2002-02-08T00:00:00", "enchantments": {"vulnersScore": 2.1}, "hash": "8f6870304e49aa2f4d45da10804759e5435a63fb7097ebdb84b32209aafd1ae0", "cvelist": ["CVE-2001-0873"], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "1.06.1-11potato2", "operator": "lt", "packageName": "uucp", "arch": "sparc", "packageFilename": "uucp_1.06.1-11potato2_sparc.deb"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "1.06.1.orig", "operator": "lt", "packageName": "uucp", "arch": "src", "packageFilename": "uucp_1.06.1.orig.tar.gz"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "1.06.1-11potato2", "operator": "lt", "packageName": "uucp", "arch": "ppc", "packageFilename": "uucp_1.06.1-11potato2_powerpc.deb"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "1.06.1-11potato2.diff", "operator": "lt", "packageName": "uucp", "arch": "src", "packageFilename": "uucp_1.06.1-11potato2.diff.gz"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "1.06.1-11potato2", "operator": "lt", "packageName": "uucp", "arch": "alpha", "packageFilename": "uucp_1.06.1-11potato2_alpha.deb"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "1.06.1-11potato2", "operator": "lt", "packageName": "uucp", "arch": "src", "packageFilename": "uucp_1.06.1-11potato2.dsc"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "1.06.1-11potato2", "operator": "lt", "packageName": "uucp", "arch": "m68k", "packageFilename": "uucp_1.06.1-11potato2_m68k.deb"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "1.06.1-11potato2", "operator": "lt", "packageName": "uucp", "arch": "arm", "packageFilename": "uucp_1.06.1-11potato2_arm.deb"}, {"OS": "Debian GNU/Linux", "OSVersion": "2.2", "packageVersion": "1.06.1-11potato2", "operator": "lt", "packageName": "uucp", "arch": "i686", "packageFilename": "uucp_1.06.1-11potato2_i386.deb"}], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "viewCount": 0, "objectVersion": "1.2", "edition": 1, "description": "Zenith Parsec discovered a security hole in Taylor UUCP 1.06.1. It permits a local user to copy any file to anywhere which is writable by the uucp uid, which effectively means that a local user can completely subvert the UUCP subsystem, including stealing mail, etc.\n\nIf a remote user with UUCP access is able to create files on the local system, and can successfully make certain guesses about the local directory structure layout, then the remote user can also subvert the UUCP system. A default installation of UUCP will permit a remote user to create files on the local system if the UUCP public directory has been created with world write permissions.\n\nObviously this security hole is serious for anybody who uses UUCP on a multi-user system with untrusted users, or anybody who uses UUCP and permits connections from untrusted remote systems.\n\nIt was thought that this problem has been fixed with DSA 079-1, but that didn't fix all variations of the problem. The problem is fixed in version 1.06.1-11potato2 of uucp which uses a patch from the upstream author Ian Lance Taylor.\n\nWe recommend that you upgrade your uucp package immediately.", "type": "debian", "references": [], "href": "http://www.debian.org/security/dsa-079", "published": "2002-02-08T00:00:00", "bulletinFamily": "unix", "id": "DSA-079"}
{"result": {"cve": [{"id": "CVE-2001-0873", "type": "cve", "title": "CVE-2001-0873", "description": "uuxqt in Taylor UUCP package does not properly remove dangerous long options, which allows local users to gain privileges by calling uux and specifying an alternate configuration file with the --config option.", "published": "2001-12-21T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0873", "cvelist": ["CVE-2001-0873"], "lastseen": "2017-10-10T10:34:45"}], "cert": [{"id": "VU:798263", "type": "cert", "title": "Taylor UUCP Package fails to properly filter command line arguments", "description": "### Overview\n\nSeveral Linux/Unix systems ship with a utility package called Taylor UUCP. A component of the UUCP package, uuxqt, fails to properly filter arguments from the commands sent to it. This can allow an intruder to gain elevated privileges and execute commands with the privileges of uucp, usually root.\n\n### Description\n\nA component of the UUCP package, uuxqt, is a daemon that executes commands requested by uux either from the local system or from remote systems. Before executing the command, uuxqt is supposed to filter dangerous command arguments. It fails to properly filter command line arguments that are specified in their long format. This can allow an intruder to gain elevated privileges and execute commands. \n \n--- \n \n### Impact\n\nAn intruder can gain elevated privileges and execute commands. \n \n--- \n \n### Solution\n\nApply the patches and upgrades provided by your vendor. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nCaldera| | -| 25 Sep 2001 \nConectiva| | -| 25 Sep 2001 \nDebian| | -| 25 Sep 2001 \nFreeBSD| | 24 Sep 2001| 09 Oct 2001 \nHewlett Packard| | 24 Sep 2001| 08 Feb 2002 \nMandrakeSoft| | -| 25 Sep 2001 \nOpenBSD| | -| 25 Sep 2001 \nRed Hat| | 25 Sep 2001| 18 Jan 2002 \nSuSE| | -| 17 Jan 2002 \nApple| | -| 26 Sep 2001 \nIBM| | 25 Sep 2001| 17 Jan 2002 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23798263 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.securityfocus.com/bid/3312>\n * <http://www.redhat.com/support/errata/RHSA-2001-165.html>\n * <http://www.suse.de/de/support/security/2001_038_uucp_txt.txt>\n * <http://www.caldera.com/support/security/advisories/CSSA-2001-033.0.txt>\n * <http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-078.php3?dis=8.0>\n * [http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio;=000425](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000425>)\n * <http://archives.neohapsis.com/archives/bugtraq/2001-09/0053.html>\n\n### Credit\n\nThis vulnerability was discovered by zen-parse.\n\nThis document was written by Jason Rafail.\n\n### Other Information\n\n * CVE IDs: [CAN-2001-0873](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2001-0873>)\n * Date Public: 08 Sep 2001\n * Date First Published: 25 Sep 2001\n * Date Last Updated: 08 Feb 2002\n * Severity Metric: 21.37\n * Document Revision: 10\n\n", "published": "2001-09-25T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/798263", "cvelist": ["CVE-2001-0873", "CVE-2001-0873"], "lastseen": "2016-02-03T09:12:58"}], "nessus": [{"id": "DEBIAN_DSA-079.NASL", "type": "nessus", "title": "Debian DSA-079-2 : uucp - uucp uid/gid access", "description": "Zenith Parsec discovered a security hole in Taylor UUCP 1.06.1. It permits a local user to copy any file to anywhere which is writable by the uucp uid, which effectively means that a local user can completely subvert the UUCP subsystem, including stealing mail, etc.\n\nIf a remote user with UUCP access is able to create files on the local system, and can successfully make certain guesses about the local directory structure layout, then the remote user can also subvert the UUCP system. A default installation of UUCP will permit a remote user to create files on the local system if the UUCP public directory has been created with world write permissions.\n\nObviously this security hole is serious for anybody who uses UUCP on a multi-user system with untrusted users, or anybody who uses UUCP and permits connections from untrusted remote systems.\n\nIt was thought that this problem has been fixed with DSA 079-1, but that didn't fix all variations of the problem. The problem is fixed in version 1.06.1-11potato2 of uucp which uses a patch from the upstream author Ian Lance Taylor.", "published": "2004-09-29T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=14916", "cvelist": ["CVE-2001-0873"], "lastseen": "2017-10-29T13:36:42"}], "exploitdb": [{"id": "EDB-ID:21106", "type": "exploitdb", "title": "Taylor UUCP 1.0.6 - Argument Handling Privilege Elevation Vulnerability", "description": "Taylor UUCP 1.0.6 Argument Handling Privilege Elevation Vulnerability. CVE-2001-0873. Local exploit for unix platform", "published": "2001-09-08T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/21106/", "cvelist": ["CVE-2001-0873"], "lastseen": "2016-02-02T15:41:19"}], "openvas": [{"id": "OPENVAS:53389", "type": "openvas", "title": "Debian Security Advisory DSA 079-2 (uucp)", "description": "The remote host is missing an update to uucp\nannounced via advisory DSA 079-2.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53389", "cvelist": ["CVE-2001-0873"], "lastseen": "2017-07-24T12:49:54"}, {"id": "OPENVAS:53570", "type": "openvas", "title": "Debian Security Advisory DSA 079-1 (uucp)", "description": "The remote host is missing an update to uucp\nannounced via advisory DSA 079-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53570", "cvelist": ["CVE-2001-0873"], "lastseen": "2017-07-24T12:50:05"}], "suse": [{"id": "SUSE-SA:2001:38", "type": "suse", "title": "local privilege escalations (probably root) in uucp", "description": "UUCP is a well known tool suite for copying data between unix-like systems. Zen-Parse reported that the higher privileges of uux (UID uucp) aren't dropped if long options instead of normal (short) options are used. An attacker could exploit this hole, by specifying a malicious configuration file to execute and/or access arbitrary data with the privilege of user uucp.", "published": "2001-10-31T16:42:46", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2001-10/msg00011.html", "cvelist": ["CVE-2001-0873"], "lastseen": "2016-09-04T11:56:37"}], "osvdb": [{"id": "OSVDB:5532", "type": "osvdb", "title": "Taylor UUCP uuxqt Alternate Config Privilege Escalation", "description": "# No description provided by the source\n\n## References:\nRedHat RHSA: RHSA-2001:165\nISS X-Force ID: 7099\n[CVE-2001-0873](https://vulners.com/cve/CVE-2001-0873)\nBugtraq ID: 3312\n", "published": "2004-04-08T23:11:46", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:5532", "cvelist": ["CVE-2001-0873"], "lastseen": "2017-04-28T13:20:00"}]}}
