sharutils uudecode utility symbolic links could be used to overwrite arbitrary files

sharutils-uudecode-symlink (9075)

Medium Risk

Description:

The uudecode utility in sharutils creates temporary files insecurely, which could allow a local attacker to launch a symlink attack. A local attacker could create a symbolic link from a file in /tmp to an arbitrary file on the system, which would be overwritten when a user runs the uudecode utility. An attacker could use this vulnerability to gain elevated privileges on the system.

Platforms Affected:

• Compaq, Tru64 4.0f
• Compaq, Tru64 4.0g
• Compaq, Tru64 5.0a
• Compaq, Tru64 5.1
• Compaq, Tru64 5.1a
• Gentoo, Linux
• GNU, sharutils
• HP, Secure OS 1.0
• MandrakeSoft, Mandrake Linux 7.1
• MandrakeSoft, Mandrake Linux 7.2
• MandrakeSoft, Mandrake Linux 8.0
• MandrakeSoft, Mandrake Linux 8.0 PPC
• MandrakeSoft, Mandrake Linux 8.1 IA64
• MandrakeSoft, Mandrake Linux 8.1
• MandrakeSoft, Mandrake Linux 8.2
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux Corporate Server 1.0.1
• MandrakeSoft, Mandrake Single Network Firewall 7.2
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Linux 6.2
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• SCO, Caldera OpenLinux Server 3.1
• SCO, Caldera OpenLinux Server 3.1.1
• SCO, Caldera OpenLinux Workstation 3.1
• SCO, Caldera OpenLinux Workstation 3.1.1
• SCO, Caldera OpenUnix 8.0.0
• SCO, Caldera UnixWare 7.1.1
• SCO, SCO OpenServer 5.0.6
• SCO, SCO OpenServer 5.0.7

Remedy:

For Red Hat Linux 6.2:
Upgrade to the latest version of sharutils (4.2.1-2.6.x or later), as listed in Red Hat Linux Errata Advisory RHSA-2002:065-13. See References.

For Red Hat Linux 7.0, 7.1, and 7.2:
Upgrade to the latest version of sharutils (4.2.1-8.7.x or later), as listed in Red Hat Linux Errata Advisory RHSA-2002:065-13. See References.

For HP Secure OS Software for Linux 1.0:
Apply the RHSA-2002:065 RPMs, as listed in Hewlett-Packard Company Security Bulletin HPSBTL0205-040. See References.

For Mandrake Linux 7.1, 7.2, 8.0, 8.1, 8.2, Single Network Firewall 7.2, and Corporate Server 1.0.1:
Upgrade to the latest sharutils package 4.2.1-8.1mdk or later, as listed in MandrakeSoft Security Advisory MDKSA-2002:052 : sharutils. See References.

For Caldera OpenLinux 3.1 and 3.1.1 (Server and Workstation):
Upgrade to the latest sharutils package (4.2.1-7MR.1 or later), as listed in SCO Security Advisory CSSA-2002-040.0. See References.

For Gentoo Linux:
Upgrade versions sys-apps/sharutils-4.2.1-r5 and earlier, as listed in Gentoo Linux Security Announcement 2002-10-30 14:10 UTC . See References.

For HP Tru64 UNIX:
Apply the appropriate patch for your system, as listed in Compaq.com - Security Bulletin: SRB0031W. See References.

For Caldera UnixWare 7.1.1 and OpenUnix 8.0.0:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory CSSA-2002-SCO.44. See References.

For SCO OpenServer 5.0.6, and 5.0.7:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2004.12. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

File Manipulation

References:

• Compaq.com - Security Bulletin: SRB0031W, SSRT2301 - HP Tru64 UNIX uudecode Potential Security Vulnerability at http://wwss1pro.compaq.com/support/reference_library/viewdocument.asp?countrycode=1000&prodid=117|Non-Platform+Specific&source=SRB0031W.xml&dt=11&docid=13225.
• Gentoo Linux Security Announcement 2002-10-30 14:10 UTC, inadequate checks on user-specified output files at http://archives.neohapsis.com/archives/bugtraq/2002-10/0412.html.
• Hewlett-Packard Company Security Bulletin HPSBTL0205-040, Security vulnerability in sharutils at http://online.securityfocus.com/advisories/4132. (From SecurityFocus archive.)
• SCO Security Advisory CSSA-2002-040.0, Linux: uudecode performs inadequate checks on user-specified output files at ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2002-040.0.txt.
• SCO Security Advisory CSSA-2002-SCO.44, UnixWare 7.1.1 Open UNIX 8.0.0 : uudecode performs inadequate checks on user-specified output files at ftp://ftp.sco.com/pub/updates/OpenUNIX/CSSA-2002-SCO.44/CSSA-2002-SCO.44.txt.
• SCO Security Advisory SCOSA-2004.12, uudecode does not check for symlink or pipe at http://www.linuxsecurity.com/content/view/106314/98/.
• BID-4742: GNU SharUtils UUDecode Symbolic Link Attack Vulnerability
• CVE-2002-0178: uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands.
• MDKSA-2002:052: Updated sharutils packages fix local file vulnerability
• OSVDB ID: 8274: SCO OpenServer uudecode Arbitrary File Overwrite
• RHSA-2002-065: Updated sharutils package fixes uudecode issue
• RHSA-2003-180: sharutils security update
• US-CERT VU#336083: Uudecode performs inadequate checks on user-specified output files

Reported:

May 14, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page