ID CVE-2008-5374
Summary bash-doc 3.2 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/cb#####.? temporary file, related to the (1) aliasconv.sh, (2) aliasconv.bash, and (3) cshtobash scripts.
References
Vulnerable Configurations
  • cpe:2.3:a:matthias_klose:bash-doc:3.2
    cpe:2.3:a:matthias_klose:bash-doc:3.2
CVSS
Base: 6.9 (as of 09-12-2008 - 10:03)
Impact:
Exploitability:
CWE CWE-59
CAPEC
  • Symlink Attack
    An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have.
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-1073.NASL
    description An updated bash package that fixes one security issue, several bugs, and adds one enhancement is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Bash is the default shell for Red Hat Enterprise Linux. It was found that certain scripts bundled with the Bash documentation created temporary files in an insecure way. A malicious, local user could use this flaw to conduct a symbolic link attack, allowing them to overwrite the contents of arbitrary files accessible to the victim running the scripts. (CVE-2008-5374) This update fixes the following bugs : * When using the source builtin at location '.', occasionally, bash opted to preserve internal consistency and abort scripts. This caused bash to abort scripts that assigned values to read-only variables. This is now fixed to ensure that such scripts are now executed as written and not aborted. (BZ#448508) * When the tab key was pressed for auto-completion options for the typed text, the cursor moved to an unexpected position on a previous line if the prompt contained characters that cannot be viewed and a '\]'. This is now fixed to retain the cursor at the expected position at the end of the target line after autocomplete options correctly display. (BZ#463880) * Bash attempted to interpret the NOBITS .dynamic section of the ELF header. This resulted in a '^D: bad ELF interpreter: No such file or directory' message. This is fixed to ensure that the invalid '^D' does not appear in the error message. (BZ#484809) * The $RANDOM variable in Bash carried over values from a previous execution for later jobs. This is fixed and the $RANDOM variable generates a new random number for each use. (BZ#492908) * When Bash ran a shell script with an embedded null character, bash's source builtin parsed the script incorrectly. This is fixed and bash's source builtin correctly parses shell script null characters. (BZ#503701) * The bash manual page for 'trap' did not mention that signals ignored upon entry cannot be listed later. The manual page was updated for this update and now specifically notes that 'Signals ignored upon entry to the shell cannot be trapped, reset or listed'. (BZ#504904) * Bash's readline incorrectly displayed additional text when resizing the terminal window when text spanned more than one line, which caused incorrect display output. This is now fixed to ensure that text in more than one line in a resized window displays as expected. (BZ#525474) * Previously, bash incorrectly displayed 'Broken pipe' messages for builtins like 'echo' and 'printf' when output did not succeed due to EPIPE. This is fixed to ensure that the unnecessary 'Broken pipe' messages no longer display. (BZ#546529) * Inserts with the repeat function were not possible after a deletion in vi-mode. This has been corrected and, with this update, the repeat function works as expected after a deletion. (BZ#575076) * In some situations, bash incorrectly appended '/' to files instead of just directories during tab-completion, causing incorrect auto-completions. This is fixed and auto-complete appends '/' only to directories. (BZ#583919) * Bash had a memory leak in the 'read' builtin when the number of fields being read was not equal to the number of variables passed as arguments, causing a shell script crash. This is fixed to prevent a memory leak and shell script crash. (BZ#618393) * /usr/share/doc/bash-3.2/loadables in the bash package contained source files which would not build due to missing C header files. With this update, the unusable (and unbuildable) source files were removed from the package. (BZ#663656) This update also adds the following enhancement : * The system-wide '/etc/bash.bash_logout' bash logout file is now enabled. This allows administrators to write system-wide logout actions for all users. (BZ#592979) Users of bash are advised to upgrade to this updated package, which contains backported patches to resolve these issues and add this enhancement.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 55646
    published 2011-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55646
    title RHEL 5 : bash (RHSA-2011:1073)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-004.NASL
    description A vulnerability have been discovered in Mandriva bash package, which could allow a malicious user to hide files from the ls command, or garble its output by crafting files or directories which contain special characters or escape sequences (CVE-2010-0002). This update fixes the issue by disabling the display of control characters by default. Additionally, this update fixes the unsafe file creation in bash-doc sample scripts (CVE-2008-5374). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 43880
    published 2010-01-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43880
    title Mandriva Linux Security Advisory : bash (MDVSA-2010:004)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-0261.NASL
    description From Red Hat Security Advisory 2011:0261 : Updated bash packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Bash (Bourne-again shell) is the default shell for Red Hat Enterprise Linux. It was found that certain scripts bundled with the Bash documentation created temporary files in an insecure way. A malicious, local user could use this flaw to conduct a symbolic link attack, allowing them to overwrite the contents of arbitrary files accessible to the victim running the scripts. (CVE-2008-5374) This update also fixes the following bugs : * If a child process's PID was the same as the PID of a previously ended child process, Bash did not wait for that child process. In some cases this caused 'Resource temporarily unavailable' errors. With this update, Bash recycles PIDs and waits for processes with recycled PIDs. (BZ#521134) * Bash's built-in 'read' command had a memory leak when 'read' failed due to no input (pipe for stdin). With this update, the memory is correctly freed. (BZ#537029) * Bash did not correctly check for a valid multi-byte string when setting the IFS value, causing Bash to crash. With this update, Bash checks the multi-byte string and no longer crashes. (BZ#539536) * Bash incorrectly set locale settings when using the built-in 'export' command and setting the locale on the same line (for example, with 'LC_ALL=C export LC_ALL'). With this update, Bash correctly sets locale settings. (BZ#539538) All bash users should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 68202
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68202
    title Oracle Linux 4 : bash (ELSA-2011-0261)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2011-1073.NASL
    description An updated bash package that fixes one security issue, several bugs, and adds one enhancement is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Bash is the default shell for Red Hat Enterprise Linux. It was found that certain scripts bundled with the Bash documentation created temporary files in an insecure way. A malicious, local user could use this flaw to conduct a symbolic link attack, allowing them to overwrite the contents of arbitrary files accessible to the victim running the scripts. (CVE-2008-5374) This update fixes the following bugs : * When using the source builtin at location '.', occasionally, bash opted to preserve internal consistency and abort scripts. This caused bash to abort scripts that assigned values to read-only variables. This is now fixed to ensure that such scripts are now executed as written and not aborted. (BZ#448508) * When the tab key was pressed for auto-completion options for the typed text, the cursor moved to an unexpected position on a previous line if the prompt contained characters that cannot be viewed and a '\]'. This is now fixed to retain the cursor at the expected position at the end of the target line after autocomplete options correctly display. (BZ#463880) * Bash attempted to interpret the NOBITS .dynamic section of the ELF header. This resulted in a '^D: bad ELF interpreter: No such file or directory' message. This is fixed to ensure that the invalid '^D' does not appear in the error message. (BZ#484809) * The $RANDOM variable in Bash carried over values from a previous execution for later jobs. This is fixed and the $RANDOM variable generates a new random number for each use. (BZ#492908) * When Bash ran a shell script with an embedded null character, bash's source builtin parsed the script incorrectly. This is fixed and bash's source builtin correctly parses shell script null characters. (BZ#503701) * The bash manual page for 'trap' did not mention that signals ignored upon entry cannot be listed later. The manual page was updated for this update and now specifically notes that 'Signals ignored upon entry to the shell cannot be trapped, reset or listed'. (BZ#504904) * Bash's readline incorrectly displayed additional text when resizing the terminal window when text spanned more than one line, which caused incorrect display output. This is now fixed to ensure that text in more than one line in a resized window displays as expected. (BZ#525474) * Previously, bash incorrectly displayed 'Broken pipe' messages for builtins like 'echo' and 'printf' when output did not succeed due to EPIPE. This is fixed to ensure that the unnecessary 'Broken pipe' messages no longer display. (BZ#546529) * Inserts with the repeat function were not possible after a deletion in vi-mode. This has been corrected and, with this update, the repeat function works as expected after a deletion. (BZ#575076) * In some situations, bash incorrectly appended '/' to files instead of just directories during tab-completion, causing incorrect auto-completions. This is fixed and auto-complete appends '/' only to directories. (BZ#583919) * Bash had a memory leak in the 'read' builtin when the number of fields being read was not equal to the number of variables passed as arguments, causing a shell script crash. This is fixed to prevent a memory leak and shell script crash. (BZ#618393) * /usr/share/doc/bash-3.2/loadables in the bash package contained source files which would not build due to missing C header files. With this update, the unusable (and unbuildable) source files were removed from the package. (BZ#663656) This update also adds the following enhancement : * The system-wide '/etc/bash.bash_logout' bash logout file is now enabled. This allows administrators to write system-wide logout actions for all users. (BZ#592979) Users of bash are advised to upgrade to this updated package, which contains backported patches to resolve these issues and add this enhancement.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 56266
    published 2011-09-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56266
    title CentOS 5 : bash (CESA-2011:1073)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110216_BASH_ON_SL4_X.NASL
    description It was found that certain scripts bundled with the Bash documentation created temporary files in an insecure way. A malicious, local user could use this flaw to conduct a symbolic link attack, allowing them to overwrite the contents of arbitrary files accessible to the victim running the scripts. (CVE-2008-5374) This update also fixes the following bugs : - If a child process's PID was the same as the PID of a previously ended child process, Bash did not wait for that child process. In some cases this caused 'Resource temporarily unavailable' errors. With this update, Bash recycles PIDs and waits for processes with recycled PIDs. (BZ#521134) - Bash's built-in 'read' command had a memory leak when 'read' failed due to no input (pipe for stdin). With this update, the memory is correctly freed. (BZ#537029) - Bash did not correctly check for a valid multi-byte string when setting the IFS value, causing Bash to crash. With this update, Bash checks the multi-byte string and no longer crashes. (BZ#539536) - Bash incorrectly set locale settings when using the built-in 'export' command and setting the locale on the same line (for example, with 'LC_ALL=C export LC_ALL'). With this update, Bash correctly sets locale settings. (BZ#539538)
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 60956
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60956
    title Scientific Linux Security Update : bash on SL4.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-0261.NASL
    description Updated bash packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Bash (Bourne-again shell) is the default shell for Red Hat Enterprise Linux. It was found that certain scripts bundled with the Bash documentation created temporary files in an insecure way. A malicious, local user could use this flaw to conduct a symbolic link attack, allowing them to overwrite the contents of arbitrary files accessible to the victim running the scripts. (CVE-2008-5374) This update also fixes the following bugs : * If a child process's PID was the same as the PID of a previously ended child process, Bash did not wait for that child process. In some cases this caused 'Resource temporarily unavailable' errors. With this update, Bash recycles PIDs and waits for processes with recycled PIDs. (BZ#521134) * Bash's built-in 'read' command had a memory leak when 'read' failed due to no input (pipe for stdin). With this update, the memory is correctly freed. (BZ#537029) * Bash did not correctly check for a valid multi-byte string when setting the IFS value, causing Bash to crash. With this update, Bash checks the multi-byte string and no longer crashes. (BZ#539536) * Bash incorrectly set locale settings when using the built-in 'export' command and setting the locale on the same line (for example, with 'LC_ALL=C export LC_ALL'). With this update, Bash correctly sets locale settings. (BZ#539538) All bash users should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 52008
    published 2011-02-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=52008
    title RHEL 4 : bash (RHSA-2011:0261)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110721_BASH_ON_SL5_X.NASL
    description Bash is the default shell for Scientific Linux. It was found that certain scripts bundled with the Bash documentation created temporary files in an insecure way. A malicious, local user could use this flaw to conduct a symbolic link attack, allowing them to overwrite the contents of arbitrary files accessible to the victim running the scripts. (CVE-2008-5374) This update fixes the following bugs : - When using the source builtin at location '.', occasionally, bash opted to preserve internal consistency and abort scripts. This caused bash to abort scripts that assigned values to read-only variables. This is now fixed to ensure that such scripts are now executed as written and not aborted. - When the tab key was pressed for auto-completion options for the typed text, the cursor moved to an unexpected position on a previous line if the prompt contained characters that cannot be viewed and a '\]'. This is now fixed to retain the cursor at the expected position at the end of the target line after autocomplete options correctly display. - Bash attempted to interpret the NOBITS .dynamic section of the ELF header. This resulted in a '^D: bad ELF interpreter: No such file or directory' message. This is fixed to ensure that the invalid '^D' does not appear in the error message. - The $RANDOM variable in Bash carried over values from a previous execution for later jobs. This is fixed and the $RANDOM variable generates a new random number for each use. - When Bash ran a shell script with an embedded null character, bash's source builtin parsed the script incorrectly. This is fixed and bash's source builtin correctly parses shell script null characters. - The bash manual page for 'trap' did not mention that signals ignored upon entry cannot be listed later. The manual page was updated for this update and now specifically notes that 'Signals ignored upon entry to the shell cannot be trapped, reset or listed'. - Bash's readline incorrectly displayed additional text when resizing the terminal window when text spanned more than one line, which caused incorrect display output. This is now fixed to ensure that text in more than one line in a resized window displays as expected. - Previously, bash incorrectly displayed 'Broken pipe' messages for builtins like 'echo' and 'printf' when output did not succeed due to EPIPE. This is fixed to ensure that the unnecessary 'Broken pipe' messages no longer display. - Inserts with the repeat function were not possible after a deletion in vi-mode. This has been corrected and, with this update, the repeat function works as expected after a deletion. - In some situations, bash incorrectly appended '/' to files instead of just directories during tab-completion, causing incorrect auto-completions. This is fixed and auto-complete appends '/' only to directories. - Bash had a memory leak in the 'read' builtin when the number of fields being read was not equal to the number of variables passed as arguments, causing a shell script crash. This is fixed to prevent a memory leak and shell script crash. - /usr/share/doc/bash-3.2/loadables in the bash package contained source files which would not build due to missing C header files. With this update, the unusable (and unbuildable) source files were removed from the package. This update also adds the following enhancement : - The system-wide '/etc/bash.bash_logout' bash logout file is now enabled. This allows administrators to write system-wide logout actions for all users. Users of bash are advised to upgrade to this updated package, which contains backported patches to resolve these issues and add this enhancement.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61088
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61088
    title Scientific Linux Security Update : bash on SL5.x i386/x86_64
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201210-05.NASL
    description The remote host is affected by the vulnerability described in GLSA-201210-05 (Bash: Multiple vulnerabilities) Two vulnerabilities have been found in Bash: Bash example scripts do not handle temporary files securely (CVE-2008-5374). Improper bounds checking in Bash could cause a stack-based buffer overflow (CVE-2012-3410). Impact : A remote attacker could entice a user to open a specially crafted Bash script, possibly resulting in execution of arbitrary code with the privileges of the process, or a Denial of Service condition of the Bash executable. A local attacker may be able to perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application or bypass shell access restrictions. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 62650
    published 2012-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62650
    title GLSA-201210-05 : Bash: Multiple vulnerabilities
redhat via4
advisories
  • bugzilla
    id 521134
    title Bash doesn't wait for backgrounded process if its PID is recycled
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • comment bash is earlier than 0:3.0-27.el4
      oval oval:com.redhat.rhsa:tst:20110261002
    • comment bash is signed with Red Hat master key
      oval oval:com.redhat.rhsa:tst:20110261003
    rhsa
    id RHSA-2011:0261
    released 2011-02-16
    severity Low
    title RHSA-2011:0261: bash security and bug fix update (Low)
  • bugzilla
    id 663656
    title Unusable loadables in /doc
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • comment bash is earlier than 0:3.2-32.el5
      oval oval:com.redhat.rhsa:tst:20111073002
    • comment bash is signed with Red Hat redhatrelease key
      oval oval:com.redhat.rhsa:tst:20111073003
    rhsa
    id RHSA-2011:1073
    released 2011-07-21
    severity Low
    title RHSA-2011:1073: bash security, bug fix, and enhancement update (Low)
rpms
  • bash-0:3.0-27.el4
  • bash-0:3.2-32.el5
refmap via4
bid 32733
gentoo GLSA-201210-05
mandriva MDVSA-2010:004
misc http://uvw.ru/report.sid.txt
mlist [debian-devel] 20080813 Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages
secunia
  • 43365
  • 51086
vupen ADV-2011-0414
statements via4
contributor Tomas Hoger
lastmodified 2008-12-10
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-5374 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
Last major update 18-04-2013 - 22:42
Published 08-12-2008 - 18:30
Back to Top