Mandrake Linux ml85p printer-drivers Package Symlink Arbitrary File Overwrite
2003-01-21T00:00:00
ID OSVDB:14558 Type osvdb Reporter OSVDB Modified 2003-01-21T00:00:00
Description
No description provided by the source
References:
Other Advisory URL: http://www.idefense.com/application/poi/display?id=20&type=vulnerabilities
Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0029.html
ISS X-Force ID: 11120
CVE-2003-0036
{"cve": [{"lastseen": "2020-10-03T11:33:01", "description": "ml85p, as included in the printer-drivers package for Mandrake Linux, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable filenames of the form \"mlg85p%d\".", "edition": 3, "cvss3": {}, "published": "2003-02-07T05:00:00", "title": "CVE-2003-0036", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 1.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.2, "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0036"], "modified": "2018-10-19T15:29:00", "cpe": ["cpe:/a:rildo_pragana:ml85p:*"], "id": "CVE-2003-0036", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0036", "cvss": {"score": 6.2, "vector": "AV:L/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:rildo_pragana:ml85p:*:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-07T11:51:18", "description": "Karol Wiesek and iDefense disovered three vulnerabilities in the\nprinter-drivers package and tools it installs. These vulnerabilities\nallow a local attacker to empty or create any file on the filesystem.\n\nThe first vulnerability is in the mtink binary, which has a buffer\noverflow in its handling of the HOME environment variable.\n\nThe second vulnerability is in the escputil binary, which has a buffer\noverflow in the parsing of the --printer-name command line argument.\nThis is only possible when esputil is suid or sgid; in Mandrake Linux\n9.0 it was sgid 'sys'. Successful exploitation will provide the\nattacker with the privilege of the group 'sys'.\n\nThe third vulnerability is in the ml85p binary which contains a race\ncondition in the opening of a temporary file. By default this file is\ninstalled suid root so it can be used to gain root privilege. The only\ncaveat is that this file is not executable by other, only by root or\ngroup 'sys'. Using either of the two previous vulnerabilities, an\nattacker can exploit one of them to obtain 'sys' privilege' and then\nuse that to exploit this vulnerability to gain root privilege.\n\nMandrakeSoft encourages all users to upgrade immediately.\n\nAside from the security vulnerabilities, a number of bugfixes are\nincluded in this update, for Mandrake Linux 9.0 users. GIMP-Print\n4.2.5pre1, HPIJS 1.3, pnm2ppa 1.12, mtink 0.9.53, and a new foomatic\nsnapshot are included. For a list of the many bugfixes, please refer\nto the RPM changelog.", "edition": 25, "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : printer-drivers (MDKSA-2003:010)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0036", "CVE-2003-0035", "CVE-2003-0034"], "modified": "2004-07-31T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:libijs0", "p-cpe:/a:mandriva:linux:printer-filters", "p-cpe:/a:mandriva:linux:foomatic", "cpe:/o:mandrakesoft:mandrake_linux:8.2", "p-cpe:/a:mandriva:linux:ghostscript-utils", "p-cpe:/a:mandriva:linux:gimpprint", "p-cpe:/a:mandriva:linux:libgimpprint1-devel", "cpe:/o:mandrakesoft:mandrake_linux:8.0", "p-cpe:/a:mandriva:linux:ghostscript", "cpe:/o:mandrakesoft:mandrake_linux:9.0", "p-cpe:/a:mandriva:linux:ghostscript-module-X", "p-cpe:/a:mandriva:linux:ghostscript-module-SVGALIB", "p-cpe:/a:mandriva:linux:printer-utils", "p-cpe:/a:mandriva:linux:omni", "cpe:/o:mandrakesoft:mandrake_linux:8.1", "p-cpe:/a:mandriva:linux:libijs0-devel", "p-cpe:/a:mandriva:linux:printer-testpages", "p-cpe:/a:mandriva:linux:cups-drivers", "p-cpe:/a:mandriva:linux:libgimpprint1"], "id": "MANDRAKE_MDKSA-2003-010.NASL", "href": "https://www.tenable.com/plugins/nessus/13995", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2003:010. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(13995);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2003-0034\", \"CVE-2003-0035\", \"CVE-2003-0036\");\n script_xref(name:\"MDKSA\", value:\"2003:010\");\n\n script_name(english:\"Mandrake Linux Security Advisory : printer-drivers (MDKSA-2003:010)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Karol Wiesek and iDefense disovered three vulnerabilities in the\nprinter-drivers package and tools it installs. These vulnerabilities\nallow a local attacker to empty or create any file on the filesystem.\n\nThe first vulnerability is in the mtink binary, which has a buffer\noverflow in its handling of the HOME environment variable.\n\nThe second vulnerability is in the escputil binary, which has a buffer\noverflow in the parsing of the --printer-name command line argument.\nThis is only possible when esputil is suid or sgid; in Mandrake Linux\n9.0 it was sgid 'sys'. Successful exploitation will provide the\nattacker with the privilege of the group 'sys'.\n\nThe third vulnerability is in the ml85p binary which contains a race\ncondition in the opening of a temporary file. By default this file is\ninstalled suid root so it can be used to gain root privilege. The only\ncaveat is that this file is not executable by other, only by root or\ngroup 'sys'. Using either of the two previous vulnerabilities, an\nattacker can exploit one of them to obtain 'sys' privilege' and then\nuse that to exploit this vulnerability to gain root privilege.\n\nMandrakeSoft encourages all users to upgrade immediately.\n\nAside from the security vulnerabilities, a number of bugfixes are\nincluded in this update, for Mandrake Linux 9.0 users. GIMP-Print\n4.2.5pre1, HPIJS 1.3, pnm2ppa 1.12, mtink 0.9.53, and a new foomatic\nsnapshot are included. For a list of the many bugfixes, please refer\nto the RPM changelog.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.idefense.com/advisory/01.21.03.txt\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:cups-drivers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:foomatic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ghostscript-module-SVGALIB\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ghostscript-module-X\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ghostscript-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:gimpprint\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libgimpprint1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libgimpprint1-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libijs0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libijs0-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:omni\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:printer-filters\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:printer-testpages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:printer-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"ghostscript-5.50-67.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"ghostscript-module-SVGALIB-5.50-67.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"ghostscript-module-X-5.50-67.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.0\", cpu:\"i386\", reference:\"ghostscript-utils-5.50-67.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"cups-drivers-1.1-15.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"foomatic-1.1-0.20010923.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"ghostscript-6.51-24.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"ghostscript-module-SVGALIB-6.51-24.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"ghostscript-module-X-6.51-24.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"libgimpprint1-4.1.99-16.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"libgimpprint1-devel-4.1.99-16.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"omni-0.4-11.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"printer-filters-1.0-15.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"printer-testpages-1.0-15.1mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"printer-utils-1.0-15.1mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"cups-drivers-1.1-48.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"foomatic-1.1-0.20020323mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"ghostscript-6.53-13.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"ghostscript-module-SVGALIB-6.53-13.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"ghostscript-module-X-6.53-13.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"gimpprint-4.2.1-0.pre5.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"libgimpprint1-4.2.1-0.pre5.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"libgimpprint1-devel-4.2.1-0.pre5.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"omni-0.6.0-2.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"printer-filters-1.0-48.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"printer-testpages-1.0-48.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"printer-utils-1.0-48.2mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"cups-drivers-1.1-84.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"foomatic-2.0.2-20021220.2.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"ghostscript-7.05-33.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"ghostscript-module-X-7.05-33.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"gimpprint-4.2.5-0.2.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"libgimpprint1-4.2.5-0.2.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"libgimpprint1-devel-4.2.5-0.2.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"libijs0-0.34-24.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"libijs0-devel-0.34-24.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"omni-0.7.1-11.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"printer-filters-1.0-84.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"printer-testpages-1.0-84.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"printer-utils-1.0-84.2mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
