Mandrake Linux Security Advisory : xlockmore (MDKSA-2000:011)

2012-09-06T00:00:00
ID MANDRAKE_MDKSA-2000-011.NASL
Type nessus
Reporter Tenable
Modified 2018-07-19T00:00:00

Description

Xlock is an X11 utility used to lock X-Window displays until the password of the user running X is entered correctly. Of course, in order to perform the password-check xlock must be setuid root and have access to the shadowed passwd file. In the xlockmore distributions versions prior to 4.16.1, a buffer overflow vulnerability was present in xlock that permitted a user to view parts of the shadowed passwd file. This is achieved by overwriting (with an oversized -mode argument) a global variable storing a pointer to a string printed in the 'usage' output. The pointer would be overwritten with an address pointing to the shadowed passwd data. With the long argument, xlock would find and an error in the command syntax and exit, printing the usage information (along with the shadowed passwd text).</p>

                                        
                                            #%NASL_MIN_LEVEL 70103

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandrake Linux Security Advisory MDKSA-2000:011. 
# The text itself is copyright (C) Mandriva S.A.
#

include("compat.inc");

if (description)
{
  script_id(61809);
  script_version("1.4");
  script_cvs_date("Date: 2018/07/19 20:59:12");

  script_xref(name:"MDKSA", value:"2000:011");

  script_name(english:"Mandrake Linux Security Advisory : xlockmore (MDKSA-2000:011)");
  script_summary(english:"Checks rpm output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Mandrake Linux host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Xlock is an X11 utility used to lock X-Window displays until the
password of the user running X is entered correctly. Of course, in
order to perform the password-check xlock must be setuid root and have
access to the shadowed passwd file. In the xlockmore distributions
versions prior to 4.16.1, a buffer overflow vulnerability was present
in xlock that permitted a user to view parts of the shadowed passwd
file. This is achieved by overwriting (with an oversized -mode
argument) a global variable storing a pointer to a string printed in
the 'usage' output. The pointer would be overwritten with an address
pointing to the shadowed passwd data. With the long argument, xlock
would find and an error in the command syntax and exit, printing the
usage information (along with the shadowed passwd text).&lt;/p&gt;"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected xlockmore package."
  );
  script_set_attribute(attribute:"risk_factor", value:"High");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:xlockmore");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:6.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2000/06/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK6.1", cpu:"i386", reference:"xlockmore-4.16.1-1mdk", yank:"mdk")) flag++;

if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"xlockmore-4.16.1-1mdk", yank:"mdk")) flag++;

if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"xlockmore-4.16.1-1mdk", yank:"mdk")) flag++;


if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");