CVE-2006-0576
published 2006-02-08CVE-2006-0576: Untrusted search path vulnerability in opcontrol in OProfile 0.9.1 and earlier allows local users to execute arbitrary commands via a modified PATH that…
PriorityP422high7.2CVSS 2.0
AVLACLAuNCCICAC
EPSS
0.39%
30.5th percentile
Untrusted search path vulnerability in opcontrol in OProfile 0.9.1 and earlier allows local users to execute arbitrary commands via a modified PATH that references malicious (1) which or (2) dirname programs. NOTE: while opcontrol normally is not run setuid, a common configuration suggests accessing opcontrol using sudo. In such a context, this is a vulnerability.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| maynard_johnson | oprofile | <= 0.9.1 | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
| maynard_johnson | oprofile | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2006-02-07·CVSS 7.2
CVE-2006-0576 [HIGH] security flaw
security flaw
Untrusted search path vulnerability in opcontrol in OProfile 0.9.1 and earlier allows local users to execute arbitrary commands via a modified PATH that references malicious (1) which or (2) dirname programs. NOTE: while opcontrol normally is not run setuid, a common configuration suggests accessing opcontrol using sudo. In such a context, this is a vulnerability.
Statement: Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 3
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207347
The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/
T
GHSA
GHSA-9xvh-2qpv-m4fg: Untrusted search path vulnerability in opcontrol in OProfile 0
ghsa_unreviewed·2022-05-01
CVE-2006-0576 [HIGH] GHSA-9xvh-2qpv-m4fg: Untrusted search path vulnerability in opcontrol in OProfile 0
Untrusted search path vulnerability in opcontrol in OProfile 0.9.1 and earlier allows local users to execute arbitrary commands via a modified PATH that references malicious (1) which or (2) dirname programs. NOTE: while opcontrol normally is not run setuid, a common configuration suggests accessing opcontrol using sudo. In such a context, this is a vulnerability.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2006-0576 security flaw
bugzilla·2018-08-16·CVSS 7.2
CVE-2006-0576 [HIGH] CVE-2006-0576 security flaw
CVE-2006-0576 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Untrusted search path vulnerability in opcontrol in OProfile 0.9.1 and earlier allows local users to execute arbitrary commands via a modified PATH that references malicious (1) which or (2) dirname programs. NOTE: while opcontrol normally is not run setuid, a common configuration suggests accessing opcontrol using sudo. In such a context, this is a vulnerability.
---
Statement:
Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 3
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207347
The Red Hat Security Response Team has rated this issue as h
Bugzilla
CVE-2011-1760 oprofile: Local privilege escalation via crafted opcontrol event parameter
bugzilla·2011-04-29·CVSS 7.2
CVE-2011-1760 [HIGH] CVE-2011-1760 oprofile: Local privilege escalation via crafted opcontrol event parameter
CVE-2011-1760 oprofile: Local privilege escalation via crafted opcontrol event parameter
It was found that oprofile profiling system did not properly sanitize
the content of event argument, provided to oprofile profiling control
utility (opcontrol). If a local unprivileged user was authorized by
sudoers file to run the opcontrol utility, they could use the flaw
to escalate their privileges (execute arbitrary code with the privileges
of the privileged system user, root). Different vulnerability than
CVE-2006-0576.
References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212
Discussion:
This issue did not affect the version of the oprofile package,
as shipped with Red Hat Enterprise Linux 4.
This issue affects the versions of the oprofile package, as shipped
with Red Hat Ente
Bugzilla
CVE-2006-0576 Arbitrary code execution via OProfile
bugzilla·2006-09-20·CVSS 7.2
CVE-2006-0576 [HIGH] CVE-2006-0576 Arbitrary code execution via OProfile
CVE-2006-0576 Arbitrary code execution via OProfile
+++ This bug was initially created as a clone of Bug #180723 +++
Arbitrary code execution via OProfile
A bug has been discovered in OProfile's opcontrol command. By setting
PATH to point at certain malicious scripts, it is possible to execute
arbitrary commands as root.
We don't ship opcontrol setuid, but if a user has the ability to run
opcontrol via sudo, this issue can be leveraged.
It should be noted that untrusted users should not be given sudo
access, which seriously mitigates the potential damage this issue can
cause.
http://marc.theaimsgroup.com/?l=bugtraq&m=113935237519964&w=2
This issue also affects RHEL3
-- Additional comment from [email protected] on 2006-02-10 10:15 EST --
There was some discussion on the oprofile ma
Bugzilla
CVE-2006-0576 Arbitrary code execution via OProfile
bugzilla·2006-02-09·CVSS 7.2
CVE-2006-0576 [HIGH] CVE-2006-0576 Arbitrary code execution via OProfile
CVE-2006-0576 Arbitrary code execution via OProfile
Arbitrary code execution via OProfile
A bug has been discovered in OProfile's opcontrol command. By setting
PATH to point at certain malicious scripts, it is possible to execute
arbitrary commands as root.
We don't ship opcontrol setuid, but if a user has the ability to run
opcontrol via sudo, this issue can be leveraged.
It should be noted that untrusted users should not be given sudo
access, which seriously mitigates the potential damage this issue can
cause.
http://marc.theaimsgroup.com/?l=bugtraq&m=113935237519964&w=2
Discussion:
There was some discussion on the oprofile mailing list to fix this. The
resulting patch from the upstream oprofile has been backported to the RHEL3
oprofile. Should be in oprofile 0.8.1-22.
---
that
Bugzilla
CVE-2006-0576 Arbitrary code execution via OProfile
bugzilla·2006-02-09·CVSS 7.2
CVE-2006-0576 [HIGH] CVE-2006-0576 Arbitrary code execution via OProfile
CVE-2006-0576 Arbitrary code execution via OProfile
Arbitrary code execution via OProfile
A bug has been discovered in OProfile's opcontrol command. By setting
PATH to point at certain malicious scripts, it is possible to execute
arbitrary commands as root.
We don't ship opcontrol setuid, but if a user has the ability to run
opcontrol via sudo, this issue can be leveraged.
It should be noted that untrusted users should not be given sudo
access, which seriously mitigates the potential damage this issue can
cause.
http://marc.theaimsgroup.com/?l=bugtraq&m=113935237519964&w=2
This issue also affects RHEL3
Discussion:
There was some discussion on the oprofile mailing list to fix this. The
resulting patch from the upstream oprofile has been backported to the RHEL4
oprofile. Should be i
http://www.redhat.com/magazine/012oct05/features/oprofile/http://www.securityfocus.com/archive/1/424325/100/0/threadedhttp://www.securityfocus.com/bid/16536https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10890http://www.redhat.com/magazine/012oct05/features/oprofile/http://www.securityfocus.com/archive/1/424325/100/0/threadedhttp://www.securityfocus.com/bid/16536https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10890
2006-02-08
Published