Debian DSA-062-1 : rxvt - buffer overflow

2004-09-29T00:00:00
ID DEBIAN_DSA-062.NASL
Type nessus
Reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
Modified 2020-07-02T00:00:00

Description

Samuel Dralet reported on bugtraq that version 2.6.2 of rxvt (a VT102 terminal emulator for X) have a buffer overflow in thett_printf() function. A local user could abuse this making rxvt print a special string using that function, for example by using the -T or -name command-line options. That string would cause a stack overflow and contain code which rxvt will execute.

Since rxvt is installed sgid utmp an attacker could use this to gain utmp which would allow them to modify the utmp file.

                                        
                                            #%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-062. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(14899);
  script_version("1.18");
  script_cvs_date("Date: 2019/08/02 13:32:16");

  script_cve_id("CVE-2001-1077");
  script_bugtraq_id(2878);
  script_xref(name:"DSA", value:"062");

  script_name(english:"Debian DSA-062-1 : rxvt - buffer overflow");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Samuel Dralet reported on bugtraq that version 2.6.2 of rxvt (a VT102
 terminal emulator for X) have a buffer overflow in thett_printf()
 function. A local user could abuse this making rxvt print a special
 string using that function, for example by using the -T or -name
 command-line options. That string would cause a stack overflow and
 contain code which rxvt will execute.

Since rxvt is installed sgid utmp an attacker could use this to gain
utmp which would allow them to modify the utmp file."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2001/dsa-062"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"This has been fixed in version 2.6.2-2.1, and we recommend that you
upgrade your rxvt package."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:rxvt");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");

  script_set_attribute(attribute:"patch_publication_date", value:"2001/06/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"2.2", prefix:"rxvt", reference:"2.6.2-2.1")) flag++;
if (deb_check(release:"2.2", prefix:"rxvt-ml", reference:"2.6.2-2.1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");