Vulnerability Note VU#700326

cdrecord fails to set proper permissions on programs specified in RSH environment variable

Original Release date: 16 Sep 2004 | Last revised: 17 Sep 2004

Overview

Cdrecord can call external programs specified by the RSH environment variable. This may permit a malicious local user to gain elevated privileges.

Description

Cdrecord is an application used to create data or audio compact discs. Cdrecord permits the use of CD recorders on remote machines via an access program on the local machine. This access program is specified in the RSH environment variable. Cdrecord fails to drop the effective user ID (euid) when calling the program specified by the RSH environment variable.

Impact

By specifying a shell script of their own devising, malicious local users can execute arbitrary code with permissions of the cdrecord program. If cdrecord is suid root, the arbitrary code will run with root permissions.

Solution

This issue is resolved in cdrtools 2.01, available at the cdrecord download page.

In general, do not run programs as setuid root if such a permission level is not required.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
DebianAffected10 Sep 200413 Sep 2004
MandrakeSoftAffected10 Sep 200410 Sep 2004
Apple Computer Inc.Not Affected10 Sep 200413 Sep 2004
FreeBSDNot Affected10 Sep 200413 Sep 2004
Juniper NetworksNot Affected10 Sep 200414 Sep 2004
Openwall GNU/*/LinuxNot Affected10 Sep 200415 Sep 2004
ConectivaUnknown10 Sep 200416 Sep 2004
Cray Inc.Unknown10 Sep 200416 Sep 2004
EMC CorporationUnknown10 Sep 200416 Sep 2004
EngardeUnknown10 Sep 200416 Sep 2004
FujitsuUnknown10 Sep 200416 Sep 2004
Hewlett-Packard CompanyUnknown10 Sep 200416 Sep 2004
HitachiUnknown10 Sep 200416 Sep 2004
IBMUnknown10 Sep 200416 Sep 2004
IBM-zSeriesUnknown10 Sep 200416 Sep 2004
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Max Vozeler for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CAN-2004-0806
  • Date Public: 30 Aug 2004
  • Date First Published: 16 Sep 2004
  • Date Last Updated: 17 Sep 2004
  • Severity Metric: 10.69
  • Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.