ID CVE-2006-5215
Summary The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file.
References
Vulnerable Configurations
  • cpe:2.3:a:x.org:xdm:1.0.3
    cpe:2.3:a:x.org:xdm:1.0.3
  • NetBSD 1.0
    cpe:2.3:o:netbsd:netbsd:1.0
  • NetBSD 1.1
    cpe:2.3:o:netbsd:netbsd:1.1
  • NetBSD 1.2
    cpe:2.3:o:netbsd:netbsd:1.2
  • NetBSD 1.2.1
    cpe:2.3:o:netbsd:netbsd:1.2.1
  • NetBSD 1.3
    cpe:2.3:o:netbsd:netbsd:1.3
  • NetBSD 1.3.1
    cpe:2.3:o:netbsd:netbsd:1.3.1
  • NetBSD 1.3.2
    cpe:2.3:o:netbsd:netbsd:1.3.2
  • NetBSD 1.3.3
    cpe:2.3:o:netbsd:netbsd:1.3.3
  • NetBSD 1.4
    cpe:2.3:o:netbsd:netbsd:1.4
  • cpe:2.3:o:netbsd:netbsd:1.4:-:alpha
    cpe:2.3:o:netbsd:netbsd:1.4:-:alpha
  • cpe:2.3:o:netbsd:netbsd:1.4:-:arm32
    cpe:2.3:o:netbsd:netbsd:1.4:-:arm32
  • cpe:2.3:o:netbsd:netbsd:1.4:-:sparc
    cpe:2.3:o:netbsd:netbsd:1.4:-:sparc
  • cpe:2.3:o:netbsd:netbsd:1.4:-:x86
    cpe:2.3:o:netbsd:netbsd:1.4:-:x86
  • NetBSD 1.4.1
    cpe:2.3:o:netbsd:netbsd:1.4.1
  • cpe:2.3:o:netbsd:netbsd:1.4.1:-:alpha
    cpe:2.3:o:netbsd:netbsd:1.4.1:-:alpha
  • cpe:2.3:o:netbsd:netbsd:1.4.1:-:arm32
    cpe:2.3:o:netbsd:netbsd:1.4.1:-:arm32
  • cpe:2.3:o:netbsd:netbsd:1.4.1:-:sh3
    cpe:2.3:o:netbsd:netbsd:1.4.1:-:sh3
  • cpe:2.3:o:netbsd:netbsd:1.4.1:-:sparc
    cpe:2.3:o:netbsd:netbsd:1.4.1:-:sparc
  • cpe:2.3:o:netbsd:netbsd:1.4.1:-:x86
    cpe:2.3:o:netbsd:netbsd:1.4.1:-:x86
  • NetBSD 1.4.2
    cpe:2.3:o:netbsd:netbsd:1.4.2
  • cpe:2.3:o:netbsd:netbsd:1.4.2:-:alpha
    cpe:2.3:o:netbsd:netbsd:1.4.2:-:alpha
  • cpe:2.3:o:netbsd:netbsd:1.4.2:-:arm32
    cpe:2.3:o:netbsd:netbsd:1.4.2:-:arm32
  • cpe:2.3:o:netbsd:netbsd:1.4.2:-:sparc
    cpe:2.3:o:netbsd:netbsd:1.4.2:-:sparc
  • cpe:2.3:o:netbsd:netbsd:1.4.2:-:x86
    cpe:2.3:o:netbsd:netbsd:1.4.2:-:x86
  • NetBSD 1.4.3
    cpe:2.3:o:netbsd:netbsd:1.4.3
  • NetBSD 1.5
    cpe:2.3:o:netbsd:netbsd:1.5
  • cpe:2.3:o:netbsd:netbsd:1.5:-:sh3
    cpe:2.3:o:netbsd:netbsd:1.5:-:sh3
  • cpe:2.3:o:netbsd:netbsd:1.5:-:x86
    cpe:2.3:o:netbsd:netbsd:1.5:-:x86
  • NetBSD 1.5.1
    cpe:2.3:o:netbsd:netbsd:1.5.1
  • NetBSD 1.5.2
    cpe:2.3:o:netbsd:netbsd:1.5.2
  • NetBSD 1.5.3
    cpe:2.3:o:netbsd:netbsd:1.5.3
  • NetBSD 1.6
    cpe:2.3:o:netbsd:netbsd:1.6
  • NetBSD 1.6 Beta
    cpe:2.3:o:netbsd:netbsd:1.6:beta
  • NetBSD 1.6.1
    cpe:2.3:o:netbsd:netbsd:1.6.1
  • NetBSD 1.6.2
    cpe:2.3:o:netbsd:netbsd:1.6.2
  • NetBSD 2.0
    cpe:2.3:o:netbsd:netbsd:2.0
  • NetBSD 2.0.1
    cpe:2.3:o:netbsd:netbsd:2.0.1
  • NetBSD 2.0.2
    cpe:2.3:o:netbsd:netbsd:2.0.2
  • NetBSD 2.0.3
    cpe:2.3:o:netbsd:netbsd:2.0.3
  • NetBSD 2.1
    cpe:2.3:o:netbsd:netbsd:2.1
  • NetBSD 3.0
    cpe:2.3:o:netbsd:netbsd:3.0
  • NetBSD 3.99.15
    cpe:2.3:o:netbsd:netbsd:3.99.15
  • NetBSD 4.0
    cpe:2.3:o:netbsd:netbsd:4.0
  • cpe:2.3:o:netbsd:netbsd:current
    cpe:2.3:o:netbsd:netbsd:current
  • cpe:2.3:o:sun:solaris:8.0:-:sparc
    cpe:2.3:o:sun:solaris:8.0:-:sparc
  • cpe:2.3:o:sun:solaris:8.0:-:x86
    cpe:2.3:o:sun:solaris:8.0:-:x86
  • cpe:2.3:o:sun:solaris:8.0:beta
    cpe:2.3:o:sun:solaris:8.0:beta
  • cpe:2.3:o:sun:solaris:9.0:-:sparc
    cpe:2.3:o:sun:solaris:9.0:-:sparc
  • cpe:2.3:o:sun:solaris:9.0:-:x86
    cpe:2.3:o:sun:solaris:9.0:-:x86
  • cpe:2.3:o:sun:solaris:9.0:x86_update_2
    cpe:2.3:o:sun:solaris:9.0:x86_update_2
  • cpe:2.3:o:sun:solaris:10.0:-:sparc
    cpe:2.3:o:sun:solaris:10.0:-:sparc
  • Sun SunOS (Solaris 8) 5.8
    cpe:2.3:o:sun:sunos:5.8
  • Sun SunOS (Solaris 9) 5.9
    cpe:2.3:o:sun:sunos:5.9
CVSS
Base: 2.6 (as of 12-10-2006 - 11:49)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
nessus via4
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_111844.NASL
    description X11 6.4.1 xdm patch. Date this patch was last updated by Sun : Jan/26/07
    last seen 2018-09-01
    modified 2014-08-30
    plugin id 23335
    published 2006-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23335
    title Solaris 8 (sparc) : 111844-04
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_X86_124831.NASL
    description X11 6.6.1_x86: xdm patch. Date this patch was last updated by Sun : Jan/18/07
    last seen 2018-09-01
    modified 2014-08-30
    plugin id 24410
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24410
    title Solaris 9 (x86) : 124831-01
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_124830.NASL
    description X11 6.6.1: xdm patch. Date this patch was last updated by Sun : Jan/18/07
    last seen 2018-09-01
    modified 2014-08-30
    plugin id 24407
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24407
    title Solaris 9 (sparc) : 124830-01
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_X86_111845.NASL
    description X11 6.4.1_x86: xdm patch. Date this patch was last updated by Sun : Jan/26/07
    last seen 2018-09-01
    modified 2014-08-30
    plugin id 23447
    published 2006-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23447
    title Solaris 8 (x86) : 111845-04
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_124458.NASL
    description X11 6.6.2_x86: xdm patch. Date this patch was last updated by Sun : Jul/16/10 This plugin has been deprecated and either replaced with individual 124458 patch-revision plugins, or deemed non-security related.
    last seen 2019-02-21
    modified 2018-07-30
    plugin id 23918
    published 2006-12-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23918
    title Solaris 10 (x86) : 124458-03 (deprecated)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_124457.NASL
    description X11 6.6.2: xdm patch. Date this patch was last updated by Sun : Jul/16/10 This plugin has been deprecated and either replaced with individual 124457 patch-revision plugins, or deemed non-security related.
    last seen 2019-02-21
    modified 2018-07-30
    plugin id 23994
    published 2007-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23994
    title Solaris 10 (sparc) : 124457-03 (deprecated)
oval via4
accepted 2007-09-27T08:57:46.256-04:00
class vulnerability
contributors
name Pai Peng
organization Opsware, Inc.
definition_extensions
  • comment Solaris 8 (SPARC) is installed
    oval oval:org.mitre.oval:def:1539
  • comment Solaris 9 (SPARC) is installed
    oval oval:org.mitre.oval:def:1457
  • comment Solaris 10 (SPARC) is installed
    oval oval:org.mitre.oval:def:1440
  • comment Solaris 8 (x86) is installed
    oval oval:org.mitre.oval:def:2059
  • comment Solaris 9 (x86) is installed
    oval oval:org.mitre.oval:def:1683
  • comment Solaris 10 (x86) is installed
    oval oval:org.mitre.oval:def:1926
description The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file.
family unix
id oval:org.mitre.oval:def:2205
status accepted
submitted 2007-08-10T12:25:23.000-04:00
title Security Vulnerability in X Display Manager (xdm(1)) Xsession Script
version 31
refmap via4
confirm
sectrack 1017015
secunia 22992
sunalert 102652
xf xdm-xsession-symlink(29427)
statements via4
contributor Mark J Cox
lastmodified 2007-03-14
organization Red Hat
statement Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Last major update 05-09-2008 - 17:11
Published 10-10-2006 - 00:06
Last modified 30-10-2018 - 12:26
Back to Top