search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Uudecode performs inadequate checks on user-specified output files

Vulnerability Note VU#336083

Original Release Date: 2002-07-15 | Last Revised: 2002-12-13

Overview

The uudecode utility contains a vulnerability that allows an attacker to overwrite arbitrary files, symbolic links, and named pipes.

Description

The uudecode utility is used to decode files that have been encoded in the 7-bit printable format generated by uuencode. This format allows for the specification of a desired output file name, which may also contain an absolute or relative path. Some implementations of uudecode fail to check the specified file name or its type before writing, so it is possible for uudecode to overwrite existing files, including regular files, symbolic links, and named pipes.

If an attacker can convince a user to invoke uudecode on a malicious file without reviewing the included file name, the attacker can cause the user to overwrite any file accessible by the user. If the victim user has root privileges, the attacker can exploit this vulnerability to overwrite arbitrary files. With respect to symbolic links and named pipes, attackers who exploit this vulnerability can alter the normal operation of system scripts and running processes, significantly increasing the risk of system compromise.

This vulnerability was first discovered in the uudecode implementation included with the GNU Sharutils package, but may be present in other implementations as well. For more information on GNU Sharutils, please see http://www.gnu.org/directory/sharutils.html.

Impact

Attackers can convince users to overwrite arbitrary files, symbolic links, and named pipes. This ability can be leveraged to gather information, destroy system and user data, and gain control of vulnerable hosts.

Solution

Apply a patch from your vendor

Please see the vendor section of this document for information on obtaining patches.

Vendor Information

336083
 
Affected   Unknown   Unaffected

Cray Inc.

Notified:  July 15, 2002 Updated:  August 19, 2002

Status

  Vulnerable

Vendor Statement

Cray, Inc. is vulnerable however it is by design and will remain that way to maintain POSIX compliancy. According to the POSIX standards for uudecode:

"If the pathname of the file to be produced exists, and the user does not have write permission on the file, uudecode will terminate with an error. If the pathname of the file to be produced exists, and the user has write permission on that file, the existing file will be overwritten."

So, if a user has root write permission then yes they can overwrite a file using uudecode (or cat, or other various unix commands).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  July 15, 2002 Updated:  August 19, 2002

Status

  Vulnerable

Vendor Statement

Debian stable (2.2), testing (pre 3.0) and unstable use a version of GNU sharutils that doesn't test for existing files when uudecoding files.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU Sharutils

Updated:  July 15, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Notified:  October 30, 2002 Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Gentoo Linux has published Security Announcement 200210-012 to address this issue. For more information, please see

Hewlett-Packard Company

Notified:  July 15, 2002 Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP Secure OS Software for Linux

HP has published a Security Bulletin to address this issue; for further information, please visit http://itrc.hp.com and search for "HPSBTL0205-040". Please note that registration may be required to access this document.

HP Tru64 Unix

HP has published Security Bulletin SSRT2301 to address this issue. The CERT/CC has provided a cached copy of this advisory below:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SECURITY BULLETIN: SSRT2301 - HP Tru64 UNIX uudecode
                                         Potential Security
Vulnerability

REVISION: 0

NOTICE: There are no restrictions for distribution
                of this Bulletin provided that it remains complete
                and intact.

RELEASE DATE: 25 November 2002

SEVERITY:  MEDIUM

SOURCE:  Hewlett-Packard Company
                  Software Security Response Team

REFERENCE:  CERT VU#336083, CAN-2002-0178

PROBLEM SUMMARY

  This bulletin will be posted to the support website
 within 24 hours of release to -
 http://thenew.hp.com/country/us/eng/support.html
 Use the SEARCH IN feature box, enter SSRT2301 in the
 search window.

SSRT2301 uudecode  (Severity - Medium)

  A potential security vulnerability has been discovered
 in the HP Tru64 UNIX operating system, where under certain
 circumstances, system integrity may be compromised through
 improper file access (overwriting files). This potential
 vulnerability may be in the form a local security domain
 risk.


VERSIONS IMPACTED:

       HP Tru64 UNIX

       HP Tru64 UNIX V5.1A

       HP Tru64 UNIX V5.1

       HP Tru64 UNIX V5.0A

       HP Tru64 UNIX V4.0G

       HP Tru64 UNIX V4.0F


RESOLUTION

  Early Release Patches (ERPs) are now available for all
 supported versions of HP Tru64 UNIX.  The ERP kits use
 dupatch to install and will not  install over any
 Customer Specific Patches (CSPs) which have file
 intersections with the ERPs. Contact your normal support
 channel and request HP Tru64 services elevate a case to
 Support Engineering if a CSP must be merged with one of
 the ERPs.  Please review the README file for each patch
 prior to installation.


HP Tru64 UNIX 5.1A:
Prerequisite: V5.1A with PK3 (BL3) installed
ERP Kit Name:   T64V51AB3-C0055902-16064-ES-20021114 .tar
Kit Location:  ftp://ftp1.support.compaq.com/public/unix/v5.1a/

HP Tru64 UNIX 5.1:
Prerequisite: V5.1 with PK5 (BL19) installed
ERP Kit Name: T64V51B19-C0142502-16065-ES-20021114 .tar
Kit Location:   ftp://ftp1.support.compaq.com/public/unix/v5.1/

HP Tru64 UNIX 5.0A:
Prerequisite: V5.0A with PK3 (BL17) installed
ERP Kit Name: T64V50AB17-C0023802-16066-ES-20021114 .tar
Kit Location:  ftp://ftp1.support.compaq.com/public/unix/v5.0a/

HP Tru64 UNIX 4.0G:
Prerequisite: V4.0G with PK3 (BL17) installed
ERP Kit Name:  T64V40GB17-C0020202-16068-ES-20021114 .tar
Kit Location:  ftp://ftp1.support.compaq.com/public/unix/v4.0g/

HP Tru64 UNIX 4.0F:
Prerequisite: V4.0F with PK7 (BL18) installed
ERP Kit Name: DUV40FB18-C0082402-16085-ES-20021115.tar
Kit Location:  ftp://ftp1.support.compaq.com/public/unix/v4.0f/

Information on how to verify MD5 and SHA1 checksums is
available at: http://www.support.compaq.com/patches/whats-new.shtml

  After completing the update, HP strongly recommends
 that you perform an immediate backup of  the system
 disk so that any subsequent restore operations begin
 with updated software. Otherwise, the updates must
 be re-applied after a future restore operation.
 Also, if at some future time the system is upgraded
 to a later patch release or version release,
 reinstall the appropriate ERP.


SUPPORT: For further information, contact HP Services

SUBSCRIBE: To subscribe to automatically receive future
Security Advisories from the Software Security Response
Team via electronic mail:
http://www.support.compaq.com/patches/mailing-list.shtml


REPORT:

  To report a potential security vulnerability with any HP
 supported product, send email to: security-alert@hp.com

  As always, HP urges you to periodically review your system
management
 and security procedures. HP will continue to review and enhance the
 security features of its products and work with our customers to
 maintain and improve the security and integrity of their systems.

  "HP is broadly distributing this Security Bulletin in order to
bring
 to the attention of users of the affected HP products the important
 security information contained in this Bulletin. HP recommends that
 all users determine the applicability of this information to their
 individual situations and take appropriate action. HP does not
 warrant that this information is necessarily accurate or complete
for
 all user situations and, consequently,  HP will not be responsible
 for any damages resulting from user's use or disregard of the
 information provided in this Bulletin."

(c)Copyright 2002 Hewlett-Packard Company.
 Hewlett-Packard Company shall not be liable for technical
 or editorial errors or omissions contained herein. The information
in
 this document is subject to change without notice. Hewlett-Packard
 Company and the names of Hewlett-Packard products referenced herein
 are trademarks of Hewlett-Packard Company in the United States and
 other countries. Other product and company names mentioned herein
may
 be trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPeMNejnTu2ckvbFuEQJX+QCgrSMMr96xdnGtaGCR0zrvhF3MJCwAn2Pq
TOFFQ+B//Yec4gS0wt+wjsjs
=juy8
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Internet Security Systems Inc.

Notified:  August 19, 2002 Updated:  August 19, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  July 15, 2002 Updated:  August 19, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft has published Mandrake Linux Security Update Advisory MDKSA-2002:052 to address this vulnerability. For more information, please see

Red Hat Inc.

Notified:  April 16, 2002 Updated:  July 16, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat has published Red Hat Security Advisory RHSA-2002:065-13 to address this issue; for more information, please see

Sun Microsystems Inc.

Notified:  July 15, 2002 Updated:  August 19, 2002

Status

  Vulnerable

Vendor Statement

Sun does not believe that this is a security risk as uudecode is functioning as expected and documented. This is an issue if uudecode is blindly executed by a mail reader or other software application. For example if the following /etc/mail/aliases entry is uncommented:

# decode: "|/usr/bin/uudecode"

There aren't any tools in the standard Solaris distribution which require uudecode to be run with privileges.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux)

Notified:  July 15, 2002 Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

All of our operating system offerings (Caldera Open UNIX, Caldera OpenLinux, SCO OpenServer) supply uudecode, and all of them have this vulnerability.

We are working on fixes for all our operating systems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The SCO Group has published SCO Security Advisory CSSA-2002-040.0 to address this issue. For more information, please see

The SCO Group (SCO UnixWare)

Notified:  July 15, 2002 Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

All of our operating system offerings (Caldera Open UNIX, Caldera OpenLinux, SCO OpenServer) supply uudecode, and all of them have this vulnerability.

We are working on fixes for all our operating systems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The SCO Group has published SCO Security Advisory CSSA-2002-SCO.44 to address this issue. For more information, please see

Fujitsu

Notified:  July 15, 2002 Updated:  August 19, 2002

Status

  Not Vulnerable

Vendor Statement

Fujitsu's UXP/V O.S. is not affected. UXP/V does not support the uudecode command.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc.

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  July 15, 2002 Updated:  July 22, 2002

Status

  Unknown

Vendor Statement

The SuSE security team has been aware of this issue for several years. We would like to point out that not overwriting existing files is not sufficient protection, as an attacker may also gain access by creating files that were not there previously (e.g. many people don't have ~/.shosts or ~/.ssh/authorized_keys2).

The best solution in our opinion is to make sure that all mail user agents etc always invoke uudecode with a filename argument on the command line. This is the case for SuSE Linux, so we do not consider ourselves vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This statement from the SuSE Security Team provides no indication that this vulnerability has been addressed.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc.

Notified:  July 15, 2002 Updated:  July 16, 2002

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 28 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was discovered by AERAsec.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: CVE-2002-0178
Severity Metric: 9.41
Date Public: 2002-04-16
Date First Published: 2002-07-15
Date Last Updated: 2002-12-13 16:42 UTC
Document Revision: 28

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.