GNU a2ps 4.13 File Name Command Execution Vulnerability
2004-08-24T00:00:00
ID EDB-ID:24406 Type exploitdb Reporter Rudolf Polzer Modified 2004-08-24T00:00:00
Description
GNU a2ps 4.13 File Name Command Execution Vulnerability. CVE-2004-1170. Local exploit for linux platform
source: http://www.securityfocus.com/bid/11025/info
Reportedly GNU a2ps is affected by a filename command-execution vulnerability. This issue is due to the application's failure to properly sanitize filenames.
An attacker might leverage this issue to execute arbitrary shell commands with the privileges of an unsuspecting user running the vulnerable application.
Although this issue reportedly affects only a2ps version 4.13, other versions are likely affected as well.
$ touch 'x`echo >&2 42`.c'
$ a2ps -o /dev/null *.c
42
[x`echo >&2 42`.c (C): 0 pages on 0 sheets]
[Total: 0 pages on 0 sheets] saved into the file `/dev/null'
{"published": "2004-08-24T00:00:00", "id": "EDB-ID:24406", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "history": [], "enchantments": {"vulnersScore": 7.5}, "hash": "95a4b9c62bce0047957579ae9c016b189a511c1fe7bde6b92bc1846d1624c559", "description": "GNU a2ps 4.13 File Name Command Execution Vulnerability. CVE-2004-1170. Local exploit for linux platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/24406/", "lastseen": "2016-02-02T23:14:59", "edition": 1, "title": "GNU a2ps 4.13 File Name Command Execution Vulnerability", "osvdbidlist": ["9176"], "modified": "2004-08-24T00:00:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-1170"], "sourceHref": "https://www.exploit-db.com/download/24406/", "references": [], "reporter": "Rudolf Polzer", "sourceData": "source: http://www.securityfocus.com/bid/11025/info\r\n\r\nReportedly GNU a2ps is affected by a filename command-execution vulnerability. This issue is due to the application's failure to properly sanitize filenames.\r\n\r\nAn attacker might leverage this issue to execute arbitrary shell commands with the privileges of an unsuspecting user running the vulnerable application.\r\n\r\nAlthough this issue reportedly affects only a2ps version 4.13, other versions are likely affected as well. \r\n\r\n$ touch 'x`echo >&2 42`.c'\r\n$ a2ps -o /dev/null *.c\r\n42\r\n[x`echo >&2 42`.c (C): 0 pages on 0 sheets]\r\n[Total: 0 pages on 0 sheets] saved into the file `/dev/null'\r\n\r\n", "objectVersion": "1.0"}
{"result": {"cve": [{"id": "CVE-2004-1170", "type": "cve", "title": "CVE-2004-1170", "description": "a2ps 4.13 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename.", "published": "2005-01-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1170", "cvelist": ["CVE-2004-1170"], "lastseen": "2017-07-11T11:14:31"}], "freebsd": [{"id": "8091FCEA-F35E-11D8-81B0-000347A4FA7D", "type": "freebsd", "title": "a2ps -- insecure command line argument handling", "description": "\nRudolf Polzer reports:\n\na2ps builds a command line for file() containing an\n\t unescaped version of the file name, thus might call\n\t external programs described by the file name. Running a\n\t cronjob over a public writable directory a2ps-ing all\n\t files in it - or simply typing \"a2ps *.txt\" in /tmp - is\n\t therefore dangerous.\n\n", "published": "2004-08-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/8091fcea-f35e-11d8-81b0-000347a4fa7d.html", "cvelist": ["CVE-2004-1170"], "lastseen": "2016-09-26T17:25:19"}], "nessus": [{"id": "FREEBSD_A2PS_413B2.NASL", "type": "nessus", "title": "FreeBSD : a2ps -- insecure command line argument handling (4)", "description": "The following package needs to be updated: a2ps-a4", "published": "2004-10-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=15524", "cvelist": ["CVE-2004-1170"], "lastseen": "2016-09-26T17:24:47"}, {"id": "FREEBSD_PKG_8091FCEAF35E11D881B0000347A4FA7D.NASL", "type": "nessus", "title": "FreeBSD : a2ps -- insecure command line argument handling (8091fcea-f35e-11d8-81b0-000347a4fa7d)", "description": "Rudolf Polzer reports :\n\na2ps builds a command line for file() containing an unescaped version of the file name, thus might call external programs described by the file name. Running a cronjob over a public writable directory a2ps-ing all files in it - or simply typing 'a2ps *.txt' in /tmp - is therefore dangerous.", "published": "2009-04-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=37951", "cvelist": ["CVE-2004-1170"], "lastseen": "2017-10-29T13:44:10"}, {"id": "MANDRAKE_MDKSA-2004-140.NASL", "type": "nessus", "title": "Mandrake Linux Security Advisory : a2ps (MDKSA-2004:140)", "description": "The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application.\n\nThe updated packages have been patched to prevent this problem.", "published": "2004-11-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=15838", "cvelist": ["CVE-2004-1170"], "lastseen": "2017-10-29T13:32:59"}, {"id": "DEBIAN_DSA-612.NASL", "type": "nessus", "title": "Debian DSA-612-1 : a2ps - unsanitised input", "description": "Rudolf Polzer discovered a vulnerability in a2ps, a converter and pretty-printer for many formats to PostScript. The program did not escape shell meta characters properly which could lead to the execution of arbitrary commands as a privileged user if a2ps is installed as a printer filter.", "published": "2004-12-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=16008", "cvelist": ["CVE-2004-1170"], "lastseen": "2017-10-29T13:35:42"}, {"id": "GENTOO_GLSA-200501-02.NASL", "type": "nessus", "title": "GLSA-200501-02 : a2ps: Multiple vulnerabilities", "description": "The remote host is affected by the vulnerability described in GLSA-200501-02 (a2ps: Multiple vulnerabilities)\n\n Javier Fernandez-Sanguino Pena discovered that the a2ps package contains two scripts that create insecure temporary files (fixps and psmandup). Furthermore, we fixed in a previous revision a vulnerability in a2ps filename handling (CAN-2004-1170).\n Impact :\n\n A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When fixps or psmandup is executed, this would result in the file being overwritten with the rights of the user running the utility. By enticing a user or script to run a2ps on a malicious filename, an attacker could execute arbitrary commands on the system with the rights of that user or script.\n Workaround :\n\n There is no known workaround at this time.", "published": "2005-02-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=16393", "cvelist": ["CVE-2004-1170", "CVE-2004-1377"], "lastseen": "2017-10-29T13:43:45"}], "openvas": [{"id": "OPENVAS:52334", "type": "openvas", "title": "FreeBSD Ports: a2ps-a4", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2008-09-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=52334", "cvelist": ["CVE-2004-1170"], "lastseen": "2017-07-02T21:10:08"}, {"id": "OPENVAS:54788", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200501-02 (a2ps)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200501-02.", "published": "2008-09-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=54788", "cvelist": ["CVE-2004-1170"], "lastseen": "2017-07-24T12:50:07"}, {"id": "OPENVAS:53717", "type": "openvas", "title": "Debian Security Advisory DSA 612-1 (a2ps)", "description": "The remote host is missing an update to a2ps\nannounced via advisory DSA 612-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53717", "cvelist": ["CVE-2004-1170"], "lastseen": "2017-07-24T12:50:18"}], "osvdb": [{"id": "OSVDB:9176", "type": "osvdb", "title": "GNU a2ps File Name Shell Command Execution", "description": "## Vulnerability Description\nGNU a2ps contains a flaw that may allow a malicious user to execute arbitrary files. The issue is triggered when a user uses a wildcard in a2ps filenames from within a world writeable directory. It is possible that the flaw may allow arbitrary code execution, resulting in a loss of confidentiality and/or integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, FreeBSD has released a patch to address this vulnerability within the FreeBSD operating system.\n## Short Description\nGNU a2ps contains a flaw that may allow a malicious user to execute arbitrary files. The issue is triggered when a user uses a wildcard in a2ps filenames from within a world writeable directory. It is possible that the flaw may allow arbitrary code execution, resulting in a loss of confidentiality and/or integrity.\n## References:\nVendor Specific Solution URL: http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/\nSecurity Tracker: 1012475\nSecurity Tracker: 1012629\n[Secunia Advisory ID:12375](https://secuniaresearch.flexerasoftware.com/advisories/12375/)\n[Secunia Advisory ID:13519](https://secuniaresearch.flexerasoftware.com/advisories/13519/)\n[Secunia Advisory ID:13316](https://secuniaresearch.flexerasoftware.com/advisories/13316/)\nOther Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:140\nOther Advisory URL: http://www.debian.org/security/2004/dsa-612\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-08/1026.html\nISS X-Force ID: 17127\n[CVE-2004-1170](https://vulners.com/cve/CVE-2004-1170)\n", "published": "2004-08-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:9176", "cvelist": ["CVE-2004-1170"], "lastseen": "2017-04-28T13:20:04"}], "debian": [{"id": "DSA-612", "type": "debian", "title": "a2ps -- unsanitised input", "description": "Rudolf Polzer discovered a vulnerability in a2ps, a converter and pretty-printer for many formats to PostScript. The program did not escape shell meta characters properly which could lead to the execution of arbitrary commands as a privileged user if a2ps is installed as a printer filter.\n\nFor the stable distribution (woody) this problem has been fixed in version 4.13b-16woody1.\n\nFor the unstable distribution (sid) this problem has been fixed in version 1:4.13b-4.2.\n\nWe recommend that you upgrade your a2ps package.", "published": "2004-12-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-612", "cvelist": ["CVE-2004-1170"], "lastseen": "2016-09-02T18:27:27"}], "gentoo": [{"id": "GLSA-200501-02", "type": "gentoo", "title": "a2ps: Multiple vulnerabilities", "description": "### Background\n\na2ps is an Any to Postscript filter that can convert to Postscript from many filetypes. fixps is a script that fixes errors in Postscript files. psmandup produces a Postscript file for printing in manual duplex mode. \n\n### Description\n\nJavier Fernandez-Sanguino Pena discovered that the a2ps package contains two scripts that create insecure temporary files (fixps and psmandup). Furthermore, we fixed in a previous revision a vulnerability in a2ps filename handling (CAN-2004-1170). \n\n### Impact\n\nA local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When fixps or psmandup is executed, this would result in the file being overwritten with the rights of the user running the utility. By enticing a user or script to run a2ps on a malicious filename, an attacker could execute arbitrary commands on the system with the rights of that user or script. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll a2ps users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-text/a2ps-4.13c-r2\"", "published": "2005-01-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/200501-02", "cvelist": ["CVE-2004-1170", "CVE-2004-1377"], "lastseen": "2016-09-06T19:46:09"}], "suse": [{"id": "SUSE-SA:2004:034", "type": "suse", "title": "remote command execution in XFree86-libs, xshared", "description": "Chris Evans reported three vulnerabilities in libXpm which can be exploited remotely by providing malformed XPM image files. The function xpmParseColors() is vulnerable to an integer overflow and a stack-based buffer overflow. The functions ParseAndPutPixels() as well as ParsePixels() is vulnerable to a stack-based buffer overflow too. Additionally Matthieu Herrb found two one-byte buffer overflows.\n#### Solution\nThere is no workaround known.", "published": "2004-09-17T13:37:17", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2004-09/msg00013.html", "cvelist": ["CVE-2004-0688", "CVE-2004-0765", "CVE-2004-1170", "CVE-2004-0687", "CVE-2004-0762", "CVE-2004-0758", "CVE-2004-0784", "CVE-2004-0807", "CVE-2004-0718", "CVE-2004-0764", "CVE-2004-0757", "CVE-2004-0494", "CVE-2004-0808", "CVE-2004-0597", "CVE-2004-0722", "CVE-2004-0832", "CVE-2004-0785", "CVE-2004-0759", "CVE-2004-0754", "CVE-2004-0763", "CVE-2004-0761"], "lastseen": "2016-09-04T12:19:39"}]}}
