Lucene search

K
nessusUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2017 Tenable Network Security, Inc.UBUNTU_USN-135-1.NASL
HistoryJan 15, 2006 - 12:00 a.m.

Ubuntu 4.10 / 5.04 : gdb vulnerabilities (USN-135-1)

2006-01-1500:00:00
Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2017 Tenable Network Security, Inc.
www.tenable.com
24

Tavis Ormandy found an integer overflow in the GNU debugger. By tricking an user into merely load a specially crafted executable, an attacker could exploit this to execute arbitrary code with the privileges of the user running gdb. However, loading untrusted binaries without actually executing them is rather uncommon, so the risk of this flaw is low. (CAN-2005-1704)

Tavis Ormandy also discovered that gdb loads and executes the file ‘.gdbinit’ in the current directory even if the file belongs to a different user. By tricking an user into run gdb in a directory with a malicious .gdbinit file, a local attacker could exploit this to run arbitrary commands with the privileges of the user invoking gdb.
(CAN-2005-1705).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-135-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(20526);
  script_version("1.17");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2005-1704", "CVE-2005-1705");
  script_xref(name:"USN", value:"135-1");

  script_name(english:"Ubuntu 4.10 / 5.04 : gdb vulnerabilities (USN-135-1)");
  script_summary(english:"Checks dpkg output for updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Ubuntu host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Tavis Ormandy found an integer overflow in the GNU debugger. By
tricking an user into merely load a specially crafted executable, an
attacker could exploit this to execute arbitrary code with the
privileges of the user running gdb. However, loading untrusted
binaries without actually executing them is rather uncommon, so the
risk of this flaw is low. (CAN-2005-1704)

Tavis Ormandy also discovered that gdb loads and executes the file
'.gdbinit' in the current directory even if the file belongs to a
different user. By tricking an user into run gdb in a directory with a
malicious .gdbinit file, a local attacker could exploit this to run
arbitrary commands with the privileges of the user invoking gdb.
(CAN-2005-1705).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(attribute:"solution", value:"Update the affected gdb package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:gdb");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04");

  script_set_attribute(attribute:"patch_publication_date", value:"2005/05/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
  script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/27");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2017 Tenable Network Security, Inc.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! ereg(pattern:"^(4\.10|5\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10 / 5.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"4.10", pkgname:"gdb", pkgver:"6.1-3ubuntu0.1")) flag++;
if (ubuntu_check(osver:"5.04", pkgname:"gdb", pkgver:"6.3-5ubuntu1.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gdb");
}
Related for UBUNTU_USN-135-1.NASL