ID CVE-2004-0497
Summary Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4.
References
Vulnerable Configurations
  • MandrakeSoft Mandrake Multi Network Firewall 8.2
    cpe:2.3:a:mandrakesoft:mandrake_multi_network_firewall:8.2
  • Conectiva Conectiva Linux 10
    cpe:2.3:o:conectiva:linux:10
  • Gentoo Linux
    cpe:2.3:o:gentoo:linux
  • cpe:2.3:o:linux:linux_kernel:2.0
    cpe:2.3:o:linux:linux_kernel:2.0
  • MandrakeSoft Mandrake Linux 9.1
    cpe:2.3:o:mandrakesoft:mandrake_linux:9.1
  • MandrakeSoft Mandrake Linux 9.2
    cpe:2.3:o:mandrakesoft:mandrake_linux:9.2
  • MandrakeSoft Mandrake Linux 10.0
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.0
  • MandrakeSoft Mandrake Linux Corporate Server 2.1
    cpe:2.3:o:mandrakesoft:mandrake_linux_corporate_server:2.1
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:advanced_server
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:advanced_server
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:enterprise_server
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:enterprise_server
  • cpe:2.3:o:redhat:enterprise_linux:2.1:-:workstation
    cpe:2.3:o:redhat:enterprise_linux:2.1:-:workstation
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:advanced_server
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:advanced_server
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:enterprise_server
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:enterprise_server
  • cpe:2.3:o:redhat:enterprise_linux:3.0:-:workstation_server
    cpe:2.3:o:redhat:enterprise_linux:3.0:-:workstation_server
  • SuSE SuSE Linux 8.0
    cpe:2.3:o:suse:suse_linux:8.0
  • SuSE SuSE Linux 8.1
    cpe:2.3:o:suse:suse_linux:8.1
  • SuSE SuSE Linux 8.2
    cpe:2.3:o:suse:suse_linux:8.2
  • SuSE SuSE Linux 9.0
    cpe:2.3:o:suse:suse_linux:9.0
  • SuSE SuSE Linux 9.1
    cpe:2.3:o:suse:suse_linux:9.1
  • Trustix Secure Enterprise Linux 2
    cpe:2.3:o:trustix:secure_linux:2
  • Trustix Secure Linux 2.0
    cpe:2.3:o:trustix:secure_linux:2.0
  • Trustix Secure Linux 2.1
    cpe:2.3:o:trustix:secure_linux:2.1
CVSS
Base: 2.1 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
exploit-db via4
description Linux Kernel 2.6.x < 2.6.7-rc3 - 'sys_chown()' Privilege Escalation. CVE-2004-0497. Local exploit for Linux platform
id EDB-ID:40726
last seen 2016-11-09
modified 2004-12-04
published 2004-12-04
reporter Exploit-DB
source https://www.exploit-db.com/download/40726/
title Linux Kernel 2.6.x < 2.6.7-rc3 - 'sys_chown()' Privilege Escalation
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-360.NASL
    description Updated kernel packages that fix a security vulnerability affecting the kernel nfs server for Red Hat Enterprise Linux 3 are now available. The Linux kernel handles the basic functions of the operating system. During an audit of the Linux kernel, SUSE discovered a flaw that allowed a user to make unauthorized changes to the group ID of files in certain circumstances. In the 2.4 kernel, as shipped with Red Hat Enterprise Linux, the only way this could happen is through the kernel nfs server. A user on a system that mounted a remote file system from a vulnerable machine may be able to make unauthorized changes to the group ID of exported files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0497 to this issue. Only Red Hat Enterprise Linux systems that are configured to share file systems via NFS are affected by this issue. All Red Hat Enterprise Linux 3 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 12511
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12511
    title RHEL 3 : kernel (RHSA-2004:360)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2004-205.NASL
    description During an audit of the Linux kernel, SUSE discovered a flaw in the Linux kernel that inappropriately allows an unprivileged user to change the group ID of a file to his/her own group ID. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0497 to this issue. All Fedora Core 2 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 13736
    published 2004-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13736
    title Fedora Core 2 : kernel-2.6.6-1.435.2.3 (2004-205)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2004-206.NASL
    description During an audit of the Linux kernel, SUSE discovered a flaw that allowed a user to make unauthorized changes to the group ID of files in certain circumstances. In the 2.4 kernel, as shipped with Fedora Core 1, the only way this could happen is through the kernel nfs server. A user on a system that mounted a remote file system from a vulnerable machine may be able to make unauthorized changes to the group ID of exported files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0497 to this issue. Only Fedora Core 1 systems that are configured to share file systems via NFS are affected by this issue. Additionally, a number of issues were discovered with the Broadcom 5820 driver. Until such time that these get fixed, this driver has been disabled. All Fedora Core 1 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 13737
    published 2004-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13737
    title Fedora Core 1 : kernel-2.4.22-1.2197.nptl (2004-206)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-354.NASL
    description Updated kernel packages that fix a security vulnerability affecting the kernel nfs server for Red Hat Enterprise Linux 2.1 are now available. The Linux kernel handles the basic functions of the operating system. During an audit of the Linux kernel, SUSE discovered a flaw that allowed a user to make unauthorized changes to the group ID of files in certain circumstances. In the 2.4 kernel, as shipped with Red Hat Enterprise Linux, the only way this could happen is through the kernel nfs server. A user on a system that mounted a remote file system from a vulnerable machine may be able to make unauthorized changes to the group ID of exported files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0497 to this issue. Only Red Hat Enterprise Linux systems that are configured to share file systems via NFS are affected by this issue. All Red Hat Enterprise Linux 2.1 users are advised to upgrade their kernels to the packages associated with their machine architectures and configurations as listed in this erratum. These packages contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 12510
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12510
    title RHEL 2.1 : kernel (RHSA-2004:354)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SA_2004_020.NASL
    description The remote host is missing the patch for the advisory SUSE-SA:2004:020 (kernel). Multiple security vulnerabilities are being addressed with this security update of the Linux kernel. Kernel memory access vulnerabilities are fixed in the e1000, decnet, acpi_asus, alsa, airo/WLAN, pss and mpu401 drivers. These vulnerabilities can lead to kernel memory read access, write access and local denial of service conditions, resulting in access to the root account for an attacker with a local account on the affected system. Missing Discretionary Access Control (DAC) checks in the chown(2) system call allow an attacker with a local account to change the group ownership of arbitrary files, which leads to root privileges on affected systems. It is specific to kernel version 2.6 based systems such as the SUSE Linux 9.1 product, that only local shell access is needed to exploit this vulnerability. An interesting variant of the missing checks is that the ownership of files in the /proc filesystem can be altered, while the changed ownership still does not allow the files to be accessed as a non-root user for to be able to exploit the vulnerability. Systems that are based on a version 2.4 kernel are not vulnerable to the /proc weakness, and exploitation of the weakness requires the use of the kernel NFS server (knfsd). If the knfsd NFS server is not activated (it is off by default), the vulnerability is not exposed. These issues related to the chown(2) system call have been discovered by Michael Schroeder and Ruediger Oertel, both SUSE LINUX. The only network-related vulnerability fixed with the kernel updates that are subject to this announcement affect the SUSE Linux 9.1 distribution only, as it is based on a 2.6 kernel. Found and reported to bugtraq by Adam Osuchowski and Tomasz Dubinski, the vulnerability allows a remote attacker to send a specially crafted TCP packet to a vulnerable system, causing that system to stall if it makes use of TCP option matching netfilter rules. In some rare configurations of the SUSE Linux 9.1 distribution, some users have experienced stalling systems during system startup. These problems are fixed with this kernel update.
    last seen 2019-02-21
    modified 2010-10-06
    plugin id 13836
    published 2004-07-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13836
    title SUSE-SA:2004:020: kernel
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200407-16.NASL
    description The remote host is affected by the vulnerability described in GLSA-200407-16 (Linux Kernel: Multiple DoS and permission vulnerabilities) The Linux kernel allows a local attacker to mount a remote file system on a vulnerable Linux host and modify files' group IDs. On 2.4 series kernels this vulnerability only affects shared NFS file systems. This vulnerability has been assigned CAN-2004-0497 by the Common Vulnerabilities and Exposures project. Also, a flaw in the handling of /proc attributes has been found in 2.6 series kernels; allowing the unauthorized modification of /proc entries, especially those which rely solely on file permissions for security to vital kernel parameters. An issue specific to the VServer Linux sources has been found, by which /proc related changes in one virtual context are applied to other contexts as well, including the host system. CAN-2004-0447 resolves a local DoS vulnerability on IA64 platforms which can cause unknown behaviour and CAN-2004-0565 resolves a floating point information leak on IA64 platforms by which registers of other processes can be read by a local user. Finally, CAN-2004-0496 addresses some more unknown vulnerabilities in 2.6 series Linux kernels older than 2.6.7 which were found by the Sparse source code checking tool. Impact : Bad Group IDs can possibly cause a Denial of Service on parts of a host if the changed files normally require a special GID to properly operate. By exploiting this vulnerability, users in the original file group would also be blocked from accessing the changed files. The /proc attribute vulnerability allows local users with previously no permissions to certain /proc entries to exploit the vulnerability and then gain read, write and execute access to entries. These new privileges can be used to cause unknown behaviour ranging from reduced system performance to a Denial of Service by manipulating various kernel options which are usually reserved for the superuser. This flaw might also be used for opening restrictions set through /proc entries, allowing further attacks to take place through another possibly unexpected attack vector. The VServer issue can also be used to induce similar unexpected behaviour to other VServer contexts, including the host. By successful exploitation, a Denial of Service for other contexts can be caused allowing only root to read certain /proc entries. Such a change would also be replicated to other contexts, forbidding normal users on those contexts to read /proc entries which could contain details needed by daemons running as a non-root user, for example. Additionally, this vulnerability allows an attacker to read information from another context, possibly hosting a different server, gaining critical information such as what processes are running. This may be used for furthering the exploitation of either context. CAN-2004-0447 and CAN-2004-0496 permit various local unknown Denial of Service vulnerabilities with unknown impacts - these vulnerabilities can be used to possibly elevate privileges or access reserved kernel memory which can be used for further exploitation of the system. CAN-2004-0565 allows FPU register values of other processes to be read by a local user setting the MFH bit during a floating point operation - since no check was in place to ensure that the FPH bit was owned by the requesting process, but only an MFH bit check, an attacker can simply set the MFH bit and access FPU registers of processes running as other users, possibly those running as root. Workaround : 2.4 users may not be affected by CAN-2004-0497 if they do not use remote network filesystems and do not have support for any such filesystems in their kernel configuration. All 2.6 users are affected by the /proc attribute issue and the only known workaround is to disable /proc support. The VServer flaw applies only to vserver-sources, and no workaround is currently known for the issue. There is no known fix to CAN-2004-0447, CAN-2004-0496 or CAN-2004-0565 other than to upgrade the kernel to a patched version. As a result, all users affected by any of these vulnerabilities should upgrade their kernels to ensure the integrity of their systems.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 14549
    published 2004-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14549
    title GLSA-200407-16 : Linux Kernel: Multiple DoS and permission vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-066.NASL
    description A number of vulnerabilities were discovered in the Linux kernel that are corrected with this update : Multiple vulnerabilities were found by the Sparse source checker that could allow local users to elevate privileges or gain access to kernel memory (CVE-2004-0495). Missing Discretionary Access Controls (DAC) checks in the chown(2) system call could allow an attacker with a local account to change the group ownership of arbitrary files, which could lead to root privileges on affected systems (CVE-2004-0497). An information leak vulnerability that affects only ia64 systems was fixed (CVE-2004-0565). Insecure permissions on /proc/scsi/qla2300/HbaApiNode could allow a local user to cause a DoS on the system; this only affects Mandrakelinux 9.2 and below (CVE-2004-0587). A vulnerability that could crash the kernel has also been fixed. This crash, however, can only be exploited via root (in br_if.c). The provided packages are patched to fix these vulnerabilities. All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at : http://www.mandrakesoft.com/security/kernelupdate
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14165
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14165
    title Mandrake Linux Security Advisory : kernel (MDKSA-2004:066)
oval via4
accepted 2013-04-29T04:22:54.311-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 3
    oval oval:org.mitre.oval:def:11782
  • comment CentOS Linux 3.x
    oval oval:org.mitre.oval:def:16651
description Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4.
family unix
id oval:org.mitre.oval:def:9867
status accepted
submitted 2010-07-09T03:56:16-04:00
title Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4.
version 23
redhat via4
advisories
  • rhsa
    id RHSA-2004:354
  • rhsa
    id RHSA-2004:360
refmap via4
conectiva CLA-2004:852
mandrake MDKSA-2004:066
suse SUSE-SA:2004:020
xf linux-fchown-groupid-modify(16599)
Last major update 21-08-2010 - 00:20
Published 06-12-2004 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top