Vulnerability Note VU#700326
cdrecord fails to set proper permissions on programs specified in RSH environment variable
Cdrecord can call external programs specified by the RSH environment variable. This may permit a malicious local user to gain elevated privileges.
Cdrecord is an application used to create data or audio compact discs. Cdrecord permits the use of CD recorders on remote machines via an access program on the local machine. This access program is specified in the RSH environment variable. Cdrecord fails to drop the effective user ID (euid) when calling the program specified by the RSH environment variable.
By specifying a shell script of their own devising, malicious local users can execute arbitrary code with permissions of the cdrecord program. If cdrecord is suid root, the arbitrary code will run with root permissions.
This issue is resolved in cdrtools 2.01, available at the cdrecord download page.
In general, do not run programs as setuid root if such a permission level is not required.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian||Affected||10 Sep 2004||13 Sep 2004|
|MandrakeSoft||Affected||10 Sep 2004||10 Sep 2004|
|Apple Computer Inc.||Not Affected||10 Sep 2004||13 Sep 2004|
|FreeBSD||Not Affected||10 Sep 2004||13 Sep 2004|
|Juniper Networks||Not Affected||10 Sep 2004||14 Sep 2004|
|Openwall GNU/*/Linux||Not Affected||10 Sep 2004||15 Sep 2004|
|Conectiva||Unknown||10 Sep 2004||16 Sep 2004|
|Cray Inc.||Unknown||10 Sep 2004||16 Sep 2004|
|EMC Corporation||Unknown||10 Sep 2004||16 Sep 2004|
|Engarde||Unknown||10 Sep 2004||16 Sep 2004|
|Fujitsu||Unknown||10 Sep 2004||16 Sep 2004|
|Hewlett-Packard Company||Unknown||10 Sep 2004||16 Sep 2004|
|Hitachi||Unknown||10 Sep 2004||16 Sep 2004|
|IBM||Unknown||10 Sep 2004||16 Sep 2004|
|IBM-zSeries||Unknown||10 Sep 2004||16 Sep 2004|
CVSS Metrics (Learn More)
Thanks to Max Vozeler for reporting this vulnerability.
This document was written by Will Dormann.
- CVE IDs: CAN-2004-0806
- Date Public: 30 Aug 2004
- Date First Published: 16 Sep 2004
- Date Last Updated: 17 Sep 2004
- Severity Metric: 10.69
- Document Revision: 13
If you have feedback, comments, or additional information about this vulnerability, please send us email.