############################################################################## # # GNU GZip Archive Handling Multiple Remote Vulnerabilities # # Copyright: OS2A and it's member companies # # Date Written: 2006/09/20 # # $Revision: 1.1 $ # # $Log: os2a_gzip_mult_vuln_604063.nasl,v $ # Revision 1.1 2006/09/22 13:49:30 ksjayesh # To production # # Revision 1.1 2006/09/20 13:15:37 hshreesha # issue #3031 # # ------------------------------------------------------------------------ # This program was written by OS2A and/or it's member companies and is # licensed under the GNU GPL license. Please see below for details. This # header contains information regarding licensing terms under the GPL, and # information regarding obtaining source code from the Author. Consequently, # pursuant to section 3(c) of the GPL, you must accompany the information # found in this header with any distribution you make of this Program. # ------------------------------------------------------------------------ ############################################################################## if(!defined_func("bn_random")) exit(0); if(description) { script_id(604063); script_bugtraq_id(20101); script_cve_id("CVE-2006-4334, CVE-2006-4335, CVE-2006-4336", "CVE-2006-4337, CVE-2006-4338"); script_copyright(english:"Copyright (C) 2006 OS2A"); script_version("$Revision: 1.1 $"); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_name(english:"GNU GZip Archive Handling Multiple Remote Vulnerabilities"); script_summary(english:"Check for vulnerable version of GNU GZip"); desc["english"] = " Overview : This host has GNU GZip installed which is susceptible to multiple vulnerabilities. These issues are, - A boundary error in the make_table() function in unlzh.c. - A buffer underflow in the build_tree() function in unpack.c. - A buffer overflow in the make_table() function of gzip's LZH support. - A NULL pointer dereference within the huft_build() function. Impact : Successful exploitation of this issue can cause execution of arbitrary commands or crash of the vulnerable application. Impact of the vulnerability is limited to system level. Affected Software : GNU GZip version 1.3.5 and prior. Affected Platform : Any linux system running the affected software. Solution : No vendor supplied patch/update available as on 20 September 2006. Information regarding this issue will be updated once the solution details are available. References : http://www.kb.cert.org/vuls/id/381508 http://www.kb.cert.org/vuls/id/554780 http://www.kb.cert.org/vuls/id/596848 http://www.kb.cert.org/vuls/id/773548 http://www.kb.cert.org/vuls/id/933712 CVSS Score : CVSS Base Score : 6.0 (AV:L/AC:L/Au:NR/C:P/I:P/A:C/B:A) CVSS Temporal Score : 5.1 Risk factor : High"; script_description(english:desc["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/uname"); exit(0); } include("ssh_func.inc"); include("os2a_misc_func.inc"); include("qpkg.inc"); if(get_kb_item("Host/uname") !~ "Linux|Darwin"){ exit(0); } # If Debian, exit (Advisory available) if(get_kb_item("Host/Debian/release")) { if(egrep(string:get_kb_item("Host/Debian/dpkg-l"), pattern:"gzip")){ exit(0); } } # If Gentoo, check for vulnerable version of gzip else if(get_kb_item("Host/Gentoo/release")) { if(qpkg_check(package:"app-arch/gzip", unaffected:make_list("ge 1.3.5-r8"), vulnerable:make_list("lt 1.3.5-r8"))) { security_hole(0); exit(0); } } # If RedHat, then exit (Advisories available) if(egrep(pattern:"Red Hat.*Linux", string:get_kb_item("Host/RedHat/release"))) { rpm = os2a_check_rpm_in_list(pattern:"^gzip-", list:get_kb_list("Host/RedHat/rpm-list"), rname:"^gzip-"); if(rpm == 1 || rpm == 0){ exit(0); } } else { # Check for vulnerable version of gzip on all other Linux installations res = os2a_check_rpm_in_list(pattern:"^gzip-(0.*|1\.([0-2]|3\.[0-5]))", list:get_kb_list("Host/*/rpm-list"), rname:"gzip"); if(res == 1) { security_hole(0); exit(0); } if(res == 0){ exit(0); } } vuln = os2a_check_ver_by_ssh_cmd_exec(cmd:"gzip -V", timeout:120, pattern:"gzip (0.*|1\.([0-2]|3\.[0-5]))"); if(vuln == 1){ security_hole(0); }