ID CVE-2004-0233
Summary Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files.
References
Vulnerable Configurations
  • SGI ProPack 2.4
    cpe:2.3:a:sgi:propack:2.4
  • SGI ProPack 3.0
    cpe:2.3:a:sgi:propack:3.0
  • cpe:2.3:a:utempter:utempter:0.5.2
    cpe:2.3:a:utempter:utempter:0.5.2
  • cpe:2.3:a:utempter:utempter:0.5.3
    cpe:2.3:a:utempter:utempter:0.5.3
  • cpe:2.3:o:slackware:slackware_linux
    cpe:2.3:o:slackware:slackware_linux
  • Slackware Linux 9.1
    cpe:2.3:o:slackware:slackware_linux:9.1
CVSS
Base: 2.1 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
exploit-db via4
description UTempter 0.5.x Multiple Local Vulnerabilities. CVE-2004-0233. Local exploit for linux platform
id EDB-ID:24027
last seen 2016-02-02
modified 2004-04-19
published 2004-04-19
reporter Steve Grubb
source https://www.exploit-db.com/download/24027/
title UTempter 0.5.x - Multiple Local Vulnerabilities
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-174.NASL
    description An updated utempter package that fixes a potential symlink vulnerability is now available. Utempter is a utility that allows terminal applications such as xterm and screen to update utmp and wtmp without requiring root privileges. Steve Grubb discovered a flaw in Utempter which allowed device names containing directory traversal sequences such as '/../'. In combination with an application that trusts the utmp or wtmp files, this could allow a local attacker the ability to overwrite privileged files using a symlink. Users should upgrade to this new version of utempter, which fixes this vulnerability.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12490
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12490
    title RHEL 2.1 / 3 : utempter (RHSA-2004:174)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2004-110-01.NASL
    description New utempter packages are available for Slackware 9.1 and -current to fix a security issue. (Slackware 9.1 was the first version of Slackware to use the libutempter library, and earlier versions of Slackware are not affected by this issue) The utempter package provides a utility and shared library that allows terminal applications such as xterm and screen to update /var/run/utmp and /var/log/wtmp without requiring root privileges. Steve Grubb has identified an issue with utempter-0.5.2 where under certain circumstances an attacker could cause it to overwrite files through a symlink. This has been addressed by upgrading the utempter package to use Dmitry V. Levin's new implementation of libutempter that does not have this bug.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 18769
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18769
    title Slackware 9.1 / current : utempter security update (SSA:2004-110-01)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200405-05.NASL
    description The remote host is affected by the vulnerability described in GLSA-200405-05 (Utempter symlink vulnerability) Utempter contains a vulnerability that may allow local users to overwrite arbitrary files via a symlink attack. Impact : This vulnerability may allow arbitrary files to be overwritten with root privileges. Workaround : There is no known workaround at this time. All users are advised to upgrade to the latest available version of utempter.
    last seen 2019-02-21
    modified 2015-04-13
    plugin id 14491
    published 2004-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14491
    title GLSA-200405-05 : Utempter symlink vulnerability
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-031.NASL
    description Steve Grubb discovered two potential issues in the utempter program : 1) If the path to the device contained /../ or /./ or //, the program was not exiting as it should. It would be possible to use something like /dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked to another important file, programs that have root privileges that do no further validation can then overwrite whatever the symlink pointed to. 2) Several calls to strncpy without a manual termination of the string. This would most likely crash utempter. The updated packages are patched to correct these problems. Update : The second portion of the patch to address the manual termination of the string has been determined to be uneccessary, as well as reducing the length of utmp strings by one character. As such, it has been removed.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14130
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14130
    title Mandrake Linux Security Advisory : utempter (MDKSA-2004:031-1)
oval via4
  • accepted 2013-04-29T04:01:51.280-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    description Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files.
    family unix
    id oval:org.mitre.oval:def:10115
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files.
    version 24
  • accepted 2004-07-12T12:00:00.000-04:00
    class vulnerability
    contributors
    name Jay Beale
    organization Bastille Linux
    description Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files.
    family unix
    id oval:org.mitre.oval:def:979
    status accepted
    submitted 2004-06-10T12:00:00.000-04:00
    title Utempter Directory Traversal Vulnerability
    version 3
redhat via4
advisories
  • rhsa
    id RHSA-2004:174
  • rhsa
    id RHSA-2004:175
refmap via4
bid 10178
gentoo GLSA-200405-05
mandrake MDKSA-2004:031
slackware SSA:2004-110
sunalert 1000752
xf utemper-symlink(15904)
Last major update 21-08-2010 - 00:20
Published 18-08-2004 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top