FreeBSD apsfilter could allow arbitrary command execution
| apsfilter-elevate-privileges (4617) |  Medium Risk |
Description:
The apsfilter custom configurations are not handled securely, and could allow an attacker to gain elevated privileges and execute arbitrary commands as root.
Platforms Affected:
- FreeBSD, FreeBSD 3.2
- FreeBSD, FreeBSD 3.3
- FreeBSD, FreeBSD 3.4
- FreeBSD, FreeBSD 4.0
Remedy:
Upgrade the apsfilter package to version 5.4.2 or later, as listed in FreeBSD Security Advisory FreeBSD-SA-00:22. See References.
Consequences:
Gain Privileges
References:
- FreeBSD Security Advisory FreeBSD-SA-00:22, apsfilter allows users to execute arbitrary commands as user lpd at http://archives.neohapsis.com/archives/freebsd/2000-06/0030.html.
- BID-1325: apsfilter LPD User Execution Vulnerability
- CVE-2000-0534: The apsfilter software in the FreeBSD ports package does not properly read user filter configurations, which allows local users to execute commands as the lpd user.
- OSVDB ID: 1389: FreeBSD apsfilter lpd Arbitrary Command Execution
Reported:
Jun 07, 2000
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net