search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Taylor UUCP Package fails to properly filter command line arguments

Vulnerability Note VU#798263

Original Release Date: 2001-09-25 | Last Revised: 2002-02-08

Overview

Several Linux/Unix systems ship with a utility package called Taylor UUCP. A component of the UUCP package, uuxqt, fails to properly filter arguments from the commands sent to it. This can allow an intruder to gain elevated privileges and execute commands with the privileges of uucp, usually root.

Description

A component of the UUCP package, uuxqt, is a daemon that executes commands requested by uux either from the local system or from remote systems. Before executing the command, uuxqt is supposed to filter dangerous command arguments. It fails to properly filter command line arguments that are specified in their long format. This can allow an intruder to gain elevated privileges and execute commands.

Impact

An intruder can gain elevated privileges and execute commands.

Solution

Apply the patches and upgrades provided by your vendor.

Vendor Information

798263
 
Affected   Unknown   Unaffected

Caldera

Updated:  September 25, 2001

Status

  Vulnerable

Vendor Statement

http://www.caldera.com/support/security/advisories/CSSA-2001-033.0.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Updated:  September 25, 2001

Status

  Vulnerable

Vendor Statement

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000425

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Updated:  September 25, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----------------------------------------------------------------------------
Debian Security Advisory DSA 079-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
September 24, 2001
- ----------------------------------------------------------------------------

Package : uucp
Vulnerability : uucp uid/gid access
Problem-Type : local exploit
Debian-specific: no

zen-parse has found a problem with Taylor UUCP as distributed with
many GNU/Linux distributions. It was possible to make `uux' execute
`uucp' with malicious commandline arguments which gives an attacker
access to files owned by uid/gid uucp.

This problem has been fixed in version of 1.06.1-11potato1 for Debian
GNU/Linux 2.2 by using a patch that RedHat has provided.

We recommend that you upgrade your uucp package immediately.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- ------------------------------------


Source archives:

http://security.debian.org/dists/stable/updates/main/source/uucp_1.06.1-11potato1.diff.gz
MD5 checksum: 4e2f02a4abd2ce86ffb0e154ef5d162b
http://security.debian.org/dists/stable/updates/main/source/uucp_1.06.1-11potato1.dsc
MD5 checksum: fd358e7e14f32ffa16cd3f2e6137b05c
http://security.debian.org/dists/stable/updates/main/source/uucp_1.06.1.orig.tar.gz
MD5 checksum: 390af5277915fcadbeee74d2f3038af9

Alpha architecture:

http://security.debian.org/dists/stable/updates/main/binary-alpha/uucp_1.06.1-11potato1_alpha.deb
MD5 checksum: c1ad1038530a5ee1a6fb92fb90be287f

ARM architecture:

http://security.debian.org/dists/stable/updates/main/binary-arm/uucp_1.06.1-11potato1_arm.deb
MD5 checksum: 5821d1b6b9bccfa7486183216ffc7dfa

Intel ia32 architecture:

http://security.debian.org/dists/stable/updates/main/binary-i386/uucp_1.06.1-11potato1_i386.deb
MD5 checksum: deb9d76651686c2b0a2d51488e3cf0da

Motorola 680x0 architecture:

http://security.debian.org/dists/stable/updates/main/binary-m68k/uucp_1.06.1-11potato1_m68k.deb
MD5 checksum: 37f78dceb1e6c3b492246c888a744af7

PowerPC architecture:

http://security.debian.org/dists/stable/updates/main/binary-powerpc/uucp_1.06.1-11potato1_powerpc.deb
MD5 checksum: e2a81774e4cd6c1eabbcf1c8fbf2e406

Sun Sparc architecture:

http://security.debian.org/dists/stable/updates/main/binary-sparc/uucp_1.06.1-11potato1_sparc.deb
MD5 checksum: 28148692a588b9b0c9b7598d0084fd2a


These files will be moved into the stable distribution on its next
revision.

- ----------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7ryqnW5ql+IAeqTIRAg85AKC3WjUR7+pcdnNzqJTKYCgAW7JPcgCgoKJz
Eyo1dUud25pN5l8FnvaeCas=
=rFIN
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  September 24, 2001 Updated:  October 09, 2001

Status

  Vulnerable

Vendor Statement

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:62.uucp.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard

Notified:  September 24, 2001 Updated:  February 08, 2002

Status

  Vulnerable

Vendor Statement

                        HP Support Information Digests

===============================================================================
o  Security Bulletin Digest Split
  ------------------------------

   The security bulletins digest has been split into multiple digests
  based on the operating system (HP-UX, MPE/iX, and HP Secure OS
  Software for Linux).  You will continue to receive all security
  bulletin digests unless you choose to update your subscriptions.

   To update your subscriptions, use your browser to access the
  IT Resource Center on the World Wide Web at:

     http://www.itresourcecenter.hp.com/

   Under the Maintenance and Support Menu, click on the "more..." link.
  Then use the 'login' link at the left side of the screen to login
  using your IT Resource Center User ID and Password.

   Under the notifications section (near the bottom of the page), select
  Support Information Digests.

   To subscribe or unsubscribe to a specific security bulletin digest,
  select or unselect the checkbox beside it. Then click the
  "Update Subscriptions" button at the bottom of the page.

o  IT Resource Center World Wide Web Service
  ---------------------------------------------------

   If you subscribed through the IT Resource Center and would
  like to be REMOVED from this mailing list, access the
  IT Resource Center on the World Wide Web at:

     http://www.itresourcecenter.hp.com/

   Login using your IT Resource Center User ID and Password.
  Then select Support Information Digests (located under
  Maintenance and Support).  You may then unsubscribe from the
  appropriate digest.
===============================================================================


Digest Name:  daily HP Secure OS Software for Linux security bulletins digest
   Created:  Wed Jan 23  3:00:08 PST 2002

Table of Contents:

Document ID      Title
---------------  -----------
HPSBTL0201-018   Updated uucp packages available

The documents are listed below.
-------------------------------------------------------------------------------


Document ID:  HPSBTL0201-018
Date Loaded:  20020122
     Title:  Updated uucp packages available

TEXT





---------------------------------------------------------------
   HEWLETT-PACKARD COMPANY SECURITY bulletin: #018
   Originally issued: 22 January '02
---------------------------------------------------------------

The information in the following Security Bulletin should be acted
upon as soon as possible.  Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from the
customer's failure to fully implement instructions in this Security
Bulletin as soon as possible.

Because the vulnerability does not require a HP Secure OS
1.0 patch or re-packaging of the RPM affected by the bulletin, the
RPMs have not been produced or tested by Hewlett-Packard Company.

---------------------------------------------------------------
PROBLEM:  Security flaw in the uuxqt utility of the uucp package.

PLATFORM: Any system running HP Secure OS software for Linux Release 1.0

DAMAGE:   Local users can gain inappropriate privileges

SOLUTION: Apply the appropriate RPMs (see section B below)

MANUAL ACTIONS: None

AVAILABILITY: The RPMs are available now.
---------------------------------------------------------------
A. Background

    Uuxqt is part of a remote command execution facility within
   uucp. A flaw exists that allows local users to gain inappropriate
   privileges. The uucp package is not included in the default
   installation of HP Secure OS Software for Linux release 1.0.

 B. Fixing the problem

    Hewlett-Packard Company recommends that customers download the RPMs
   listed in the following Red Hat Security Advisory:

    2002-01-15 uucp (RHSA-2001-165) The uuxqt utility can be used to
   execute arbitrary commands as uucp.uucp

    http://www.redhat.com/support/errata/RHSA-2001-165.html


    To install the security bulletin RPMs, use the following sequence
   of commands:

    1. If you use the tripwire product, we recommend that you run a
      a consistency check and fix any violations before installing
      the security bulletin RPM.

           tripwire --check --interactive

    2. Install the bulletin RPM from the root account.

           rpm -F <bulletin RPM name>

    3. Update the tripwire database

           tripwire --check --interactive



    NOTE:
   The rpm -q <package name> command can be used to determine if the
   product is installed. Hewlett-Packard Company recommends applying the
   Security Bulletin fixes to installed packages only. The -F option
   to the RPM installer will only apply the fix if the package is
   currently installed on the system. Dependent RPMs can be found by
   using the "Find Latest RPMs" search facility at
   
http://www.redhat.com/apps/download. To find the latest dependent
   RPM enter the RPM's name in the "By Keyword" box.


 C. To subscribe to automatically receive future HP Security
   Bulletins from the HP IT Resource Center via electronic
   mail, do the following:

    Use your browser to access the HP IT Resource Center page
   at:

       http://itrc.hp.com

    Use the 'Login' tab at the left side of the screen to login
   using your ID and password.  Use your existing login or the
   "Register" button at the left to create a login. Remember to
   save the User ID assigned to you, and your password. This
   login provides access to many useful areas of the ITRC.

    In the leftmost frame select "Maintenance and Support".

    Under the "Notifications" section (near the bottom of
   the page), select "Support Information Digests".

    To -subscribe- to future HP Security Bulletins or other
   Technical Digests, click the check box (in the left column)
   for the appropriate digest and then click the "Update
   Subscriptions" button at the bottom of the page.

    or

    To -review- bulletins already released, select the link
   (in the middle column) for the appropriate digest.

 D. To report new security vulnerabilities, send email to

    security-alert@hp.com

    Please encrypt any exploit information using the
   security-alert PGP key, available from your local key
   server. You may also get the security-alert PGP key by
   sending a message with a -subject- (not body) of
   'get key' (no quotes) to security-alert@hp.com.

    Permission is granted for copying and circulating this
   bulletin to Hewlett-Packard Company (HP) customers (or the Internet
   community) for the purpose of alerting them to problems,
   if and only if, the bulletin is not edited or changed in
   any way, is attributed to HP, and provided such reproduction
   and/or distribution is performed for non-commercial purposes.

    Any other use of this information is prohibited. HP is not
   liable for any misuse of this information by any third party.
---------------------------------------------------------------
-----End of Document ID:  HPSBTL0201-018--------------------------------------

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Updated:  September 25, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

Mandrake Linux Security Update Advisory
________________________________________________________________________

Package name: uucp
Date: September 21st, 2001
Advisory ID: MDKSA-2001:078

Affected versions: 7.1, 7.2, 8.0, Corporate Server 1.0.1
________________________________________________________________________

Problem Description:

Zen Parse discovered that an argument handling problem that exists in
the uucp package can allow a local attacker to gain access to the uucp
user or group.
________________________________________________________________________

References:

http://www.securityfocus.com/archive/1/212892
________________________________________________________________________

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package. You can do this with the command:
rpm --checksig package.rpm
You can get the GPG public key of the Mandrake Linux Security Team at
http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS
If you use MandrakeUpdate, the verification of md5 checksum and GPG
signature is performed automatically for you.

Linux-Mandrake 7.1:
fa65ca8883349b9be0e6cf7db7dea76b 7.1/RPMS/uucp-1.06.1-14.1mdk.i586.rpm
e28726519e93e1980d40dab2f06483af 7.1/SRPMS/uucp-1.06.1-14.1mdk.src.rpm

Linux-Mandrake 7.2:
63dec090a832b711ff3a05577de6e375 7.2/RPMS/uucp-1.06.1-17.1mdk.i586.rpm
5e0b73597aaf0b0c731919e0e2608e2b 7.2/SRPMS/uucp-1.06.1-17.1mdk.src.rpm

Mandrake Linux 8.0:
1d285f9a496ae17aac3a43faaf93046a 8.0/RPMS/uucp-1.06.1-18.1mdk.i586.rpm
231f4436c3d4ba45190b6f00430a8b0d 8.0/SRPMS/uucp-1.06.1-18.1mdk.src.rpm

Mandrake Linux 8.0 (PPC):
9634b394fe43ab951969ab5088a071f3 ppc/8.0/RPMS/uucp-1.06.1-18.1mdk.ppc.rpm
519859d31a9a04d84d8090a6a4885431 ppc/8.0/SRPMS/uucp-1.06.1-18.1mdk.src.rpm

Corporate Server 1.0.1:
fa65ca8883349b9be0e6cf7db7dea76b 1.0.1/RPMS/uucp-1.06.1-14.1mdk.i586.rpm
e28726519e93e1980d40dab2f06483af 1.0.1/SRPMS/uucp-1.06.1-14.1mdk.src.rpm
________________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):

________________________________________________________________________

To upgrade automatically, use MandrakeUpdate.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".

You can download the updates directly from one of the mirror sites
listed at:

http://www.linux-mandrake.com/en/ftp.php3.

Updated packages are available in the "updates/[ver]/RPMS/" directory.
For example, if you are looking for an updated RPM package for
Mandrake Linux 8.0, look for it in "updates/8.0/RPMS/". Updated source
RPMs are available as well, but you generally do not need to download
them.

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other security advisories for Mandrake Linux at:

http://www.linux-mandrake.com/en/security/

If you want to report vulnerabilities, please contact

security@linux-mandrake.com
________________________________________________________________________

Mandrake Linux has two security-related mailing list services that
anyone can subscribe to:

security-announce@linux-mandrake.com

Mandrake Linux's security announcements mailing list. Only
announcements are sent to this list and it is read-only.

security-discuss@linux-mandrake.com

Mandrake Linux's security discussion mailing list. This list is open
to anyone to discuss Mandrake Linux security specifically and Linux
security in general.

To subscribe to either list, send a message to
sympa@linux-mandrake.com
with "subscribe [listname]" in the body of the message.

To remove yourself from either list, send a message to
sympa@linux-mandrake.com
with "unsubscribe [listname]" in the body of the message.

To get more information on either list, send a message to
sympa@linux-mandrake.com
with "info [listname]" in the body of the message.

Optionally, you can use the web interface to subscribe to or unsubscribe
from either list:

http://www.linux-mandrake.com/en/flists.php3#security
________________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security@linux-mandrake.com>


- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn
7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77
9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV
Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s
+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX
Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl
3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi
RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX
lA==
=0ahQ
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7qtfrmqjQ0CJFipgRAquLAJ46aDf85lnkDX7ZRp8bu3V05MT0qwCgxUvp
TZaGq2U8xKvGNEfQMRLErjc=
=mMTA
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Updated:  September 25, 2001

Status

  Vulnerable

Vendor Statement

http://www.openbsd.org/errata.html#uucp

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat

Notified:  September 25, 2001 Updated:  January 18, 2002

Status

  Vulnerable

Vendor Statement

http://www.redhat.com/support/errata/RHSA-2001-165.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE

Updated:  January 17, 2002

Status

  Vulnerable

Vendor Statement

http://www.suse.de/de/support/security/2001_038_uucp_txt.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Updated:  September 26, 2001

Status

  Not Vulnerable

Vendor Statement

Mac OS X is not vulnerable to the UUCP problems described in this advisory.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  September 25, 2001 Updated:  January 17, 2002

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 11 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was discovered by zen-parse.

This document was written by Jason Rafail.

Other Information

CVE IDs: CVE-2001-0873
Severity Metric: 21.38
Date Public: 2001-09-08
Date First Published: 2001-09-25
Date Last Updated: 2002-02-08 16:09 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.