Executive Summary
| Summary | |
|---|---|
| Title | New splitvt packages fix privilege escalation |
| Informations | |||
|---|---|---|---|
| Name | DSA-1500 | First vendor Publication | 2008-02-21 |
| Vendor | Debian | Last vendor Modification | 2008-02-21 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 7.2 | Attack Range | Local |
| Cvss Impact Score | 10 | Attack Complexity | Low |
| Cvss Expoit Score | 3.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Mike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing 'xprop'. This could allow any local user to gain the privileges of group utmp. For the stable distribution (etch), this problem has been fixed in version 1.6.5-9etch1. For the unstable distribution (sid), this problem has been fixed in version 1.6.6-4. We recommend that you upgrade your splitvt package. |
Original Source
| Url : http://www.debian.org/security/2008/dsa-1500 |
CAPEC : Common Attack Pattern Enumeration & Classification
| Id | Name |
|---|---|
| CAPEC-69 | Target Programs with Elevated Privileges |
| CAPEC-104 | Cross Zone Scripting |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:20008 | |||
| Oval ID: | oval:org.mitre.oval:def:20008 | ||
| Title: | DSA-1500-1 splitvt - privilege escalation | ||
| Description: | Mike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing <q>xprop</q>. This could allow any local user to gain the privileges of group utmp. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1500-1 CVE-2008-0162 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 4.0 | Product(s): | splitvt |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:8133 | |||
| Oval ID: | oval:org.mitre.oval:def:8133 | ||
| Title: | DSA-1500 splitvt -- privilege escalation | ||
| Description: | Mike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing xprop. This could allow any local user to gain the privileges of group utmp. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1500 CVE-2008-0162 | Version: | 3 |
| Platform(s): | Debian GNU/Linux 4.0 | Product(s): | splitvt |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 3 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200803-05 (splitvt) File : nvt/glsa_200803_05.nasl |
| 2008-02-28 | Name : Debian Security Advisory DSA 1500-1 (splitvt) File : nvt/deb_1500_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 42178 | splitvt misc.c xprop Handling Local Privilege Escalation |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2008-03-07 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200803-05.nasl - Type : ACT_GATHER_INFO |
| 2008-02-25 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1500.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:27:22 |
|
