ID CVE-2007-2027
Summary Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.
References
Vulnerable Configurations
  • cpe:2.3:a:elinks:elinks:0.11.1
    cpe:2.3:a:elinks:elinks:0.11.1
CVSS
Base: 4.4 (as of 17-04-2007 - 13:44)
Impact:
Exploitability:
CWE CWE-134
CAPEC
  • Format String Injection
    An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
  • String Format Overflow in syslog()
    This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description ELinks Relative 0.10.6 /011.1 Path Arbitrary Code Execution Vulnerability. CVE-2007-2027 . Local exploit for linux platform
id EDB-ID:29954
last seen 2016-02-03
modified 2007-05-07
published 2007-05-07
reporter Arnaud Giersch
source https://www.exploit-db.com/download/29954/
title ELinks Relative 0.10.6 /011.1 Path Arbitrary Code Execution Vulnerability
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-1471.NASL
    description An updated elinks package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. ELinks is a text-based Web browser. ELinks does not display any images, but it does support frames, tables, and most other HTML tags. An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224) It was discovered that ELinks tried to load translation files using relative paths. A local attacker able to trick a victim into running ELinks in a folder containing specially crafted translation files could use this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027) All ELinks users are advised to upgrade to this updated package, which contains backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43798
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43798
    title CentOS 4 / 5 : elinks (CESA-2009:1471)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200706-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-200706-03 (ELinks: User-assisted execution of arbitrary code) Arnaud Giersch discovered that the 'add_filename_to_string()' function in file intl/gettext/loadmsgcat.c uses an untrusted relative path, allowing for a format string attack with a malicious .po file. Impact : A local attacker could entice a user to run ELinks in a specially crafted directory environment containing a malicious '.po' file, possibly resulting in the execution of arbitrary code with the privileges of the user running ELinks. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 25453
    published 2007-06-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25453
    title GLSA-200706-03 : ELinks: User-assisted execution of arbitrary code
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-1471.NASL
    description From Red Hat Security Advisory 2009:1471 : An updated elinks package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. ELinks is a text-based Web browser. ELinks does not display any images, but it does support frames, tables, and most other HTML tags. An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224) It was discovered that ELinks tried to load translation files using relative paths. A local attacker able to trick a victim into running ELinks in a folder containing specially crafted translation files could use this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027) All ELinks users are advised to upgrade to this updated package, which contains backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 67934
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67934
    title Oracle Linux 4 / 5 : elinks (ELSA-2009-1471)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20091001_ELINKS_ON_SL4_X.NASL
    description CVE-2007-2027 elinks tries to load .po files from a non-absolute path CVE-2008-7224 elinks: entity_cache static array buffer overflow (off-by-one) An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224) It was discovered that ELinks tried to load translation files using relative paths. A local attacker able to trick a victim into running ELinks in a folder containing specially crafted translation files could use this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027)
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60673
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60673
    title Scientific Linux Security Update : elinks on SL4.x, SL5.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-1471.NASL
    description An updated elinks package that fixes two security issues is now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. ELinks is a text-based Web browser. ELinks does not display any images, but it does support frames, tables, and most other HTML tags. An off-by-one buffer overflow flaw was discovered in the way ELinks handled its internal cache of string representations for HTML special entities. A remote attacker could use this flaw to create a specially crafted HTML file that would cause ELinks to crash or, possibly, execute arbitrary code when rendered. (CVE-2008-7224) It was discovered that ELinks tried to load translation files using relative paths. A local attacker able to trick a victim into running ELinks in a folder containing specially crafted translation files could use this flaw to confuse the victim via incorrect translations, or cause ELinks to crash and possibly execute arbitrary code via embedded formatting sequences in translated messages. (CVE-2007-2027) All ELinks users are advised to upgrade to this updated package, which contains backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 41962
    published 2009-10-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41962
    title RHEL 4 / 5 : elinks (RHSA-2009:1471)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2009-0030.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - fix #235411 - CVE-2007-2027 - elinks tries to load .po files from non-absolute path - fix #523258 - CVE-2008-7224 - entity_cache static array buffer overflow
    last seen 2019-02-21
    modified 2017-02-14
    plugin id 79468
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79468
    title OracleVM 2.1 : elinks (OVMSA-2009-0030)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-457-1.NASL
    description Arnaud Giersch discovered that elinks incorrectly attempted to load gettext catalogs from a relative path. If a user were tricked into running elinks from a specific directory, a local attacker could execute code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 28055
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28055
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : elinks vulnerability (USN-457-1)
oval via4
accepted 2013-04-29T04:21:46.799-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.
family unix
id oval:org.mitre.oval:def:9741
status accepted
submitted 2010-07-09T03:56:16-04:00
title Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.
version 24
redhat via4
rpms
  • elinks-0:0.9.2-4.el4_8.1
  • elinks-0:0.11.1-6.el5_4.1
refmap via4
bid 23844
confirm
gentoo GLSA-200706-03
osvdb 35668
secunia
  • 25169
  • 25198
  • 25255
  • 25550
trustix 2007-0017
ubuntu USN-457-1
vupen ADV-2007-1686
statements via4
contributor Mark J Cox
lastmodified 2009-10-02
organization Red Hat
statement This issue affected Red Hat Enterprise Linux 4 and 5. Update packages were released to correct it via: http://rhn.redhat.com/errata/RHSA-2009-1471.html
Last major update 10-03-2011 - 00:00
Published 13-04-2007 - 14:19
Last modified 10-10-2017 - 21:32
Back to Top