ID CVE-2004-1170
Summary a2ps 4.13 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename.
References
Vulnerable Configurations
  • GNU a2ps 4.13
    cpe:2.3:a:gnu:a2ps:4.13
  • GNU a2ps 4.13b
    cpe:2.3:a:gnu:a2ps:4.13b
  • Sun Java Desktop System 2.0
    cpe:2.3:a:sun:java_desktop_system:2.0
  • cpe:2.3:a:sun:java_desktop_system:2003
    cpe:2.3:a:sun:java_desktop_system:2003
  • cpe:2.3:o:suse:suse_linux:8:-:enterprise_server
    cpe:2.3:o:suse:suse_linux:8:-:enterprise_server
  • SuSE SuSE Linux 8.1
    cpe:2.3:o:suse:suse_linux:8.1
  • SuSE SuSE Linux 8.2
    cpe:2.3:o:suse:suse_linux:8.2
  • SuSE SuSE Linux 9.0
    cpe:2.3:o:suse:suse_linux:9.0
  • cpe:2.3:o:suse:suse_linux:9.0:-:enterprise_server
    cpe:2.3:o:suse:suse_linux:9.0:-:enterprise_server
  • cpe:2.3:o:suse:suse_linux:9.0:-:x86_64
    cpe:2.3:o:suse:suse_linux:9.0:-:x86_64
  • SuSE SuSE Linux 9.1
    cpe:2.3:o:suse:suse_linux:9.1
CVSS
Base: 10.0 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description GNU a2ps 4.13 File Name Command Execution Vulnerability. CVE-2004-1170. Local exploit for linux platform
id EDB-ID:24406
last seen 2016-02-02
modified 2004-08-24
published 2004-08-24
reporter Rudolf Polzer
source https://www.exploit-db.com/download/24406/
title GNU a2ps 4.13 File Name Command Execution Vulnerability
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_A2PS_413B2.NASL
    description The following package needs to be updated: a2ps-a4
    last seen 2016-09-26
    modified 2011-10-03
    plugin id 15524
    published 2004-10-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15524
    title FreeBSD : a2ps -- insecure command line argument handling (4)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200501-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-200501-02 (a2ps: Multiple vulnerabilities) Javier Fernandez-Sanguino Pena discovered that the a2ps package contains two scripts that create insecure temporary files (fixps and psmandup). Furthermore, we fixed in a previous revision a vulnerability in a2ps filename handling (CAN-2004-1170). Impact : A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When fixps or psmandup is executed, this would result in the file being overwritten with the rights of the user running the utility. By enticing a user or script to run a2ps on a malicious filename, an attacker could execute arbitrary commands on the system with the rights of that user or script. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 16393
    published 2005-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16393
    title GLSA-200501-02 : a2ps: Multiple vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-140.NASL
    description The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. The updated packages have been patched to prevent this problem.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 15838
    published 2004-11-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15838
    title Mandrake Linux Security Advisory : a2ps (MDKSA-2004:140)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-612.NASL
    description Rudolf Polzer discovered a vulnerability in a2ps, a converter and pretty-printer for many formats to PostScript. The program did not escape shell meta characters properly which could lead to the execution of arbitrary commands as a privileged user if a2ps is installed as a printer filter.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 16008
    published 2004-12-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16008
    title Debian DSA-612-1 : a2ps - unsanitised input
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_8091FCEAF35E11D881B0000347A4FA7D.NASL
    description Rudolf Polzer reports : a2ps builds a command line for file() containing an unescaped version of the file name, thus might call external programs described by the file name. Running a cronjob over a public writable directory a2ps-ing all files in it - or simply typing 'a2ps *.txt' in /tmp - is therefore dangerous.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 37951
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37951
    title FreeBSD : a2ps -- insecure command line argument handling (8091fcea-f35e-11d8-81b0-000347a4fa7d)
refmap via4
bid 11025
confirm http://bugs.debian.org/283134
fedora FLSA:152870
fulldisc 20040824 a2ps executing shell commands from file name
mandrake MDKSA-2004:140
misc http://www.securiteam.com/unixfocus/5MP0N2KDPA.html
openpkg OpenPKG-SA-2005.003
secunia 12375
sunalert 57649
suse SUSE-SA:2004:034
xf gnu-a2ps-gain-privileges(17127)
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 17-10-2016 - 22:51
Published 10-01-2005 - 00:00
Last modified 19-10-2018 - 11:30
Back to Top