SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#700326

cdrecord fails to set proper permissions on programs specified in RSH environment variable

Overview

Cdrecord can call external programs specified by the RSH environment variable. This may permit a malicious local user to gain elevated privileges.

I. Description

Cdrecord is an application used to create data or audio compact discs. Cdrecord permits the use of CD recorders on remote machines via an access program on the local machine. This access program is specified in the RSH environment variable. Cdrecord fails to drop the effective user ID (euid) when calling the program specified by the RSH environment variable.

II. Impact

By specifying a shell script of their own devising, malicious local users can execute arbitrary code with permissions of the cdrecord program. If cdrecord is suid root, the arbitrary code will run with root permissions.

III. Solution

This issue is resolved in cdrtools 2.01, available at the cdrecord download page.

In general, do not run programs as setuid root if such a permission level is not required.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Not Vulnerable13-Sep-2004
ConectivaUnknown16-Sep-2004
Cray Inc.Unknown16-Sep-2004
DebianVulnerable13-Sep-2004
EMC CorporationUnknown16-Sep-2004
EngardeUnknown16-Sep-2004
FreeBSDNot Vulnerable13-Sep-2004
FujitsuUnknown16-Sep-2004
Hewlett-Packard CompanyUnknown16-Sep-2004
HitachiUnknown16-Sep-2004
IBMUnknown16-Sep-2004
IBM-zSeriesUnknown16-Sep-2004
IBM eServerUnknown16-Sep-2004
ImmunixUnknown16-Sep-2004
Ingrian NetworksUnknown16-Sep-2004
Juniper NetworksNot Vulnerable14-Sep-2004
MandrakeSoftVulnerable10-Sep-2004
MontaVista SoftwareUnknown16-Sep-2004
NEC CorporationUnknown16-Sep-2004
NETBSDUnknown16-Sep-2004
NokiaUnknown16-Sep-2004
NovellUnknown16-Sep-2004
OpenBSDUnknown16-Sep-2004
Openwall GNU/*/LinuxNot Vulnerable15-Sep-2004
Red Hat Inc.Unknown16-Sep-2004
SCOUnknown16-Sep-2004
SequentUnknown16-Sep-2004
SGIUnknown16-Sep-2004
Sony CorporationUnknown16-Sep-2004
Sun Microsystems Inc.Unknown16-Sep-2004
SuSE Inc.Unknown16-Sep-2004
TurboLinuxUnknown16-Sep-2004
UnisysUnknown16-Sep-2004
Wind River Systems Inc.Unknown16-Sep-2004

References


http://www.securitytracker.com/alerts/2004/Aug/1011091.html
http://secunia.com/advisories/12481/
http://xforce.iss.net/xforce/xfdb/17303

Credit

Thanks to Max Vozeler for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public:2004-08-30
Date First Published:2004-09-16
Date Last Updated:2004-09-17
CERT Advisory: 
CVE-ID(s):CAN-2004-0806
NVD-ID(s):CAN-2004-0806
US-CERT Technical Alerts: 
Metric:10.69
Document Revision:13

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader