Conectiva Local Security Checks : Conectiva Security Advisory CLA-2002:532

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.51541

Kategorie: Conectiva Local Security Checks

Titel: Conectiva Security Advisory CLA-2002:532

Zusammenfassung: NOSUMMARY

Beschreibung: Description:

The remote host is missing updates announced in
advisory CLA-2002:532.

Sendmail is a widely used Mail Transfer Agent (MTA). smrsh is an
application intended as a replacement for the sh shell for use with
Sendmail. It imposes some restrictions to what programs can be
executed when parsing ~
/.forward and system wide mail aliases.

Zen-parse and Pedram Amini found two ways[1] to exploit smrsh in
order to make it execute any program on the system. The first one is
by inserting specially formatted commands in the .forward file
located in the user's home directory. The second one is by directly
calling smrsh with special parameters.

By exploiting this vulnerability, users who have no shell account or
are not allowed to execute some programs can use smrsh to bypass such
restrictions.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2002-1165 to this issue[2].

Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'

http://www.sendmail.org/smrsh.adv.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1165
http://www.securityspace.com/smysecure/catid.html?in=CLA-2002:532
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002002

Risk factor : Medium

CVSS Score:
4.6

Querverweis: BugTraq ID: 5845
Common Vulnerability Exposure (CVE) ID: CVE-2002-1165
http://www.securityfocus.com/bid/5845
Bugtraq: 20021001 iDEFENSE Security Advisory 10.01.02: Sendmail smrsh bypass vulnerabilities (Google Search)
http://marc.info/?l=bugtraq&m=103350914307274&w=2
Caldera Security Advisory: CSSA-2002-052.0
Conectiva Linux advisory: CLA-2002:532
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000532
FreeBSD Security Advisory: FreeBSD-SA-02:41
http://www.mandriva.com/security/advisories?name=MDKSA-2002:083
NETBSD Security Advisory: NetBSD-SA2002-023
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-023.txt.asc
http://www.redhat.com/support/errata/RHSA-2003-073.html
http://secunia.com/advisories/7826
SGI Security Advisory: 20030101-01-P
http://www.iss.net/security_center/static/10232.php

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.51541
Kategorie:	Conectiva Local Security Checks
Titel:	Conectiva Security Advisory CLA-2002:532
Zusammenfassung:	NOSUMMARY
Beschreibung:	Description: The remote host is missing updates announced in advisory CLA-2002:532. Sendmail is a widely used Mail Transfer Agent (MTA). smrsh is an application intended as a replacement for the sh shell for use with Sendmail. It imposes some restrictions to what programs can be executed when parsing ~ /.forward and system wide mail aliases. Zen-parse and Pedram Amini found two ways[1] to exploit smrsh in order to make it execute any program on the system. The first one is by inserting specially formatted commands in the .forward file located in the user's home directory. The second one is by directly calling smrsh with special parameters. By exploiting this vulnerability, users who have no shell account or are not allowed to execute some programs can use smrsh to bypass such restrictions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2002-1165 to this issue[2]. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://www.sendmail.org/smrsh.adv.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1165 http://www.securityspace.com/smysecure/catid.html?in=CLA-2002:532 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002002 Risk factor : Medium CVSS Score: 4.6
Querverweis:	BugTraq ID: 5845 Common Vulnerability Exposure (CVE) ID: CVE-2002-1165 http://www.securityfocus.com/bid/5845 Bugtraq: 20021001 iDEFENSE Security Advisory 10.01.02: Sendmail smrsh bypass vulnerabilities (Google Search) http://marc.info/?l=bugtraq&m=103350914307274&w=2 Caldera Security Advisory: CSSA-2002-052.0 Conectiva Linux advisory: CLA-2002:532 http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000532 FreeBSD Security Advisory: FreeBSD-SA-02:41 http://www.mandriva.com/security/advisories?name=MDKSA-2002:083 NETBSD Security Advisory: NetBSD-SA2002-023 ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-023.txt.asc http://www.redhat.com/support/errata/RHSA-2003-073.html http://secunia.com/advisories/7826 SGI Security Advisory: 20030101-01-P http://www.iss.net/security_center/static/10232.php
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com