CVE-2004-1170
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:51:59
NMCOEPS    

[原文]a2ps 4.13 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename.


[CNNVD]a2ps filename 命令执行漏洞(CNNVD-200501-145)

        a2ps是一款开源PostScript软件。
        a2ps 4.13版本存在命令执行漏洞。
        远程攻击者可通过包含Shell元字符的文件名执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:gnu:a2ps:4.13bGNU a2ps 4.13b
cpe:/o:suse:suse_linux:8.1SuSE SuSE Linux 8.1
cpe:/o:suse:suse_linux:9.0SuSE SuSE Linux 9.0
cpe:/a:gnu:a2ps:4.13GNU a2ps 4.13
cpe:/o:suse:suse_linux:9.0::x86_64
cpe:/a:sun:java_desktop_system:2.0Sun Java Desktop System 2.0
cpe:/a:sun:java_desktop_system:2003
cpe:/o:suse:suse_linux:8::enterprise_server
cpe:/o:suse:suse_linux:9.0::enterprise_server
cpe:/o:suse:suse_linux:8.2SuSE SuSE Linux 8.2
cpe:/o:suse:suse_linux:9.1SuSE SuSE Linux 9.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1170
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1170
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-145
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/fulldisclosure/2004-08/1026.html
(VENDOR_ADVISORY)  FULLDISC  20040824 a2ps executing shell commands from file name
http://bugs.debian.org/283134
(UNKNOWN)  CONFIRM  http://bugs.debian.org/283134
http://marc.info/?l=bugtraq&m=110598355226660&w=2
(UNKNOWN)  OPENPKG  OpenPKG-SA-2005.003
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57649-1&searchclause=
(UNKNOWN)  SUNALERT  57649
http://www.mandriva.com/security/advisories?name=MDKSA-2004:140
(UNKNOWN)  MANDRAKE  MDKSA-2004:140
http://www.novell.com/linux/security/advisories/2004_34_xfree86_libs_xshared.html
(UNKNOWN)  SUSE  SUSE-SA:2004:034
http://www.securiteam.com/unixfocus/5MP0N2KDPA.html
(UNKNOWN)  MISC  http://www.securiteam.com/unixfocus/5MP0N2KDPA.html
http://www.securityfocus.com/archive/1/archive/1/419765/100/0/threaded
(UNKNOWN)  FEDORA  FLSA:152870
http://www.securityfocus.com/bid/11025
(VENDOR_ADVISORY)  BID  11025
http://xforce.iss.net/xforce/xfdb/17127
(VENDOR_ADVISORY)  XF  gnu-a2ps-gain-privileges(17127)

- 漏洞信息

a2ps filename 命令执行漏洞
危急 输入验证
2005-01-10 00:00:00 2005-10-20 00:00:00
本地  
        a2ps是一款开源PostScript软件。
        a2ps 4.13版本存在命令执行漏洞。
        远程攻击者可通过包含Shell元字符的文件名执行任意命令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://ftp.gnu.org/gnu/a2ps/

- 漏洞信息 (24406)

GNU a2ps 4.13 File Name Command Execution Vulnerability (EDBID:24406)
linux local
2004-08-24 Verified
0 Rudolf Polzer
N/A [点击下载]
source: http://www.securityfocus.com/bid/11025/info

Reportedly GNU a2ps is affected by a filename command-execution vulnerability. This issue is due to the application's failure to properly sanitize filenames.

An attacker might leverage this issue to execute arbitrary shell commands with the privileges of an unsuspecting user running the vulnerable application.

Although this issue reportedly affects only a2ps version 4.13, other versions are likely affected as well. 

$ touch 'x`echo >&2 42`.c'
$ a2ps -o /dev/null *.c
42
[x`echo >&2 42`.c (C): 0 pages on 0 sheets]
[Total: 0 pages on 0 sheets] saved into the file `/dev/null'

		

- 漏洞信息 (F35444)

dsa-612.txt (PacketStormID:F35444)
2004-12-30 00:00:00
 
advisory,arbitrary,shell
linux,debian
CVE-2004-1170
[点击下载]

Debian Security Advisory 612-1 - Rudolf Polzer discovered a vulnerability in a2ps, a converter and pretty-printer for many formats to PostScript. The program did not escape shell meta characters properly which could lead to the execution of arbitrary commands as a privileged user if a2ps is installed as a printer filter.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 612-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
December 20th, 2004                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : a2ps
Vulnerability  : unsanitised input
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2004-1170
BugTraq ID     : 11025
Debian Bug     : 283134

Rudolf Polzer discovered a vulnerability in a2ps, a converter and
pretty-printer for many formats to PostScript.  The program did not
escape shell meta characters properly which could lead to the
execution of arbitrary commands as a privileged user if a2ps is
installed as a printer filter.

For the stable distribution (woody) this problem has been fixed in
version 4.13b-16woody1

For the unstable distribution (sid) this problem has been fixed in
version 4.13b-4.2.

We recommend that you upgrade your a2ps package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b-16woody1.dsc
      Size/MD5 checksum:      725 dadf3ab28283daaf34edeb7c69a52646
    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b-16woody1.diff.gz
      Size/MD5 checksum:    71239 61c84f71f4dcd123910d12264ba1f743
    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b.orig.tar.gz
      Size/MD5 checksum:  1944289 0c8e0c31b08c14f7a7198ce967eb3281

  Alpha architecture:

    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b-16woody1_alpha.deb
      Size/MD5 checksum:   910612 43af4a8ce22b403d25558ed7df881fba

  ARM architecture:

    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b-16woody1_arm.deb
      Size/MD5 checksum:   858618 5596ea37b56f334ed06a482eabb2527b

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b-16woody1_i386.deb
      Size/MD5 checksum:   843376 a39e6b6c1c5bf1e43a5bdb88867d8627

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b-16woody1_ia64.deb
      Size/MD5 checksum:   980186 85c43da1b384d49f8fc5ccf91a79c666

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b-16woody1_hppa.deb
      Size/MD5 checksum:   897322 53b0ba66e1c7a0840fe6373ce41cc666

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b-16woody1_m68k.deb
      Size/MD5 checksum:   824770 56407eeee73a0316383d42250cb27f36

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b-16woody1_mips.deb
      Size/MD5 checksum:   886682 912156733c4da9fd438940ef741f5794

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b-16woody1_mipsel.deb
      Size/MD5 checksum:   886554 387d7b39f2ede04e518961ded2f4cb05

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b-16woody1_powerpc.deb
      Size/MD5 checksum:   861318 c261076b51e733f972b75ce77510c807

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b-16woody1_s390.deb
      Size/MD5 checksum:   854722 f5731e91bac335a40bf0b38efd134b4b

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/a/a2ps/a2ps_4.13b-16woody1_sparc.deb
      Size/MD5 checksum:   852690 98bd7a3408de1f3154951f2ccf318e3d


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBxre0W5ql+IAeqTIRAlh4AKClSXHuedlAqzb/RGnbaPP/4NqJmACfeXSU
Wz0mJ95G8g0sONet98onEgk=
=a5OV
-----END PGP SIGNATURE-----

    

- 漏洞信息

9176
GNU a2ps File Name Shell Command Execution
Local Access Required Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

GNU a2ps contains a flaw that may allow a malicious user to execute arbitrary files. The issue is triggered when a user uses a wildcard in a2ps filenames from within a world writeable directory. It is possible that the flaw may allow arbitrary code execution, resulting in a loss of confidentiality and/or integrity.

- 时间线

2004-08-24 Unknow
2004-08-24 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, FreeBSD has released a patch to address this vulnerability within the FreeBSD operating system.

- 相关参考

- 漏洞作者

- 漏洞信息

GNU a2ps File Name Command Execution Vulnerability
Input Validation Error 11025
No Yes
2004-08-24 12:00:00 2006-05-08 09:09:00
Discovery of this issue is credited to Rudolf Polzer <divzero@gmail.com>.

- 受影响的程序版本

SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
Sun Java Desktop System (JDS) 2.0
Sun Java Desktop System (JDS) 2003
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux 8.1
RedHat Linux 9.0 i386
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
Red Hat Fedora Core1
GNU a2ps 4.13 b
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 10.2 x86_64
+ Mandriva Linux Mandrake 10.2
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ OpenPKG OpenPKG 2.2
+ OpenPKG OpenPKG 2.1
+ OpenPKG OpenPKG Current
GNU a2ps 4.13
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
Gentoo Linux

- 漏洞讨论

Reportedly GNU a2ps is affected by a filename command-execution vulnerability. This issue is due to the application's failure to properly sanitize filenames.

An attacker might leverage this issue to execute arbitrary shell commands with the privileges of an unsuspecting user running the vulnerable application.

Although this issue reportedly affects only a2ps version 4.13, other versions are likely affected as well.

- 漏洞利用

No exploit it required to leverage this issue. The following proof of concept has been provided:

The issue can be illustrated with the following set of shell commands:

$ touch 'x`echo >&2 42`.c'
$ a2ps -o /dev/null *.c
42
[x`echo >&2 42`.c (C): 0 pages on 0 sheets]
[Total: 0 pages on 0 sheets] saved into the file `/dev/null'

- 解决方案


Please see the referenced advisories for more information.


GNU a2ps 4.13 b

GNU a2ps 4.13

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站