CVE-2011-1018
published 2011-02-25CVE-2011-1018: logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in a log file name, as demonstrated via a crafted…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
18.32%
96.9th percentile
logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in a log file name, as demonstrated via a crafted username to a Samba server.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | logwatch | < logwatch 7.3.6.cvs20090906-2 (bookworm) | logwatch 7.3.6.cvs20090906-2 (bookworm) |
| logwatch | logwatch | — | — |
| logwatch | logwatch | >= 0 < 7.3.6.cvs20090906-2 | 7.3.6.cvs20090906-2 |
| logwatch | logwatch | >= 0 < 7.3.6.cvs20090906-2 | 7.3.6.cvs20090906-2 |
| logwatch | logwatch | >= 0 < 7.3.6.cvs20090906-2 | 7.3.6.cvs20090906-2 |
| logwatch | logwatch | >= 0 < 7.3.6.cvs20090906-2 | 7.3.6.cvs20090906-2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect shell metacharacters (e.g., semicolons, pipes, backticks) embedded in log file names processed by logwatch.pl, particularly in Samba-generated log paths. ↗
- →Monitor for crafted Samba usernames containing shell metacharacters, as these get reflected into log file names subsequently parsed by logwatch. ↗
- →Alert on logwatch.pl invoking system() calls where the argument contains unsanitized log file name components with special characters such as semicolons. ↗
- ·Only Logwatch 7.3.6 (unpatched) is vulnerable; Debian fixed the issue in package version 7.3.6.cvs20090906-2 and RHEL 5/6 via RHSA-2011:0324. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Logwatch vulnerability
vendor_ubuntu·2011-03-01
CVE-2011-1018 Logwatch vulnerability
Title: Logwatch vulnerability
Dominik George discovered that logwatch did not properly sanitize
log file names that were passed to the shell as part of a command.
If a remote attacker were able to generate specially crafted filenames
(for example, via Samba logging), they could execute arbitrary code
with root privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
logwatch: Privilege escalation due improper sanitization of special characters in log file names
vendor_redhat·2011-02-16·CVSS 10.0
CVE-2011-1018 [CRITICAL] CWE-73 logwatch: Privilege escalation due improper sanitization of special characters in log file names
logwatch: Privilege escalation due improper sanitization of special characters in log file names
logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in a log file name, as demonstrated via a crafted username to a Samba server.
Package: logwatch (Red Hat Enterprise Linux 4) - Not affected
Debian
CVE-2011-1018: logwatch - logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbitrary comma...
vendor_debian·2011·CVSS 10.0
CVE-2011-1018 [CRITICAL] CVE-2011-1018: logwatch - logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbitrary comma...
logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in a log file name, as demonstrated via a crafted username to a Samba server.
Scope: local
bookworm: resolved (fixed in 7.3.6.cvs20090906-2)
bullseye: resolved (fixed in 7.3.6.cvs20090906-2)
forky: resolved (fixed in 7.3.6.cvs20090906-2)
sid: resolved (fixed in 7.3.6.cvs20090906-2)
trixie: resolved (fixed in 7.3.6.cvs20090906-2)
GHSA
GHSA-g657-whx2-ph73: logwatch
ghsa_unreviewed·2022-05-17
CVE-2011-1018 [HIGH] CWE-20 GHSA-g657-whx2-ph73: logwatch
logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in a log file name, as demonstrated via a crafted username to a Samba server.
OSV
CVE-2011-1018: logwatch
osv·2011-02-25·CVSS 10.0
CVE-2011-1018 [CRITICAL] CVE-2011-1018: logwatch
logwatch.pl in Logwatch 7.3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in a log file name, as demonstrated via a crafted username to a Samba server.
No detection rules found.
Exploit-DB
phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection (1)
exploitdb·2011-10-23
CVE-2011-4075 phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection (1)
phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection (1)
---
$key)) {\n";
1018. $code .= " asort(\$a->$key);\n";
1019. $code .= " \$aa = array_shift(\$a->$key);\n";
....
1078. $code .= 'return $c;';
1079.
1080. $CACHE[$sortby] = create_function('$a, $b',$code);
1081. }
The $sortby parameter passed to 'masort' function isn't properly sanitized before being used in a call to create_function()
at line 1080, this can be exploited to inject and execute arbitrary PHP code. The only possible attack vector is when handling
the 'query_engine' command, here input passed through $_REQUEST['orderby'] is passed as $sortby parameter to 'masort' function.
[-] Disclosure timeline:
[30/09/2011] - Vulnerability discovered
[02/10/2011] - Issue reported to http://sourceforge.net/support/tracker.php?aid=341
Exploit-DB
Logwatch Log File - Special Characters Privilege Escalation
exploitdb·2011-02-24
CVE-2011-1018 Logwatch Log File - Special Characters Privilege Escalation
Logwatch Log File - Special Characters Privilege Escalation
---
source: https://www.securityfocus.com/bid/46554/info
Logwatch is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue execute arbitrary code with superuser privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
% echo "fake" > â??/var/log/httpd/fakee;who;access_log.2â??
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055579.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/055585.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/055617.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.htmlhttp://logwatch.svn.sourceforge.net/viewvc/logwatch/scripts/logwatch.pl?r1=3&r2=26&pathrev=26http://secunia.com/advisories/43356http://secunia.com/advisories/43495http://secunia.com/advisories/43622http://secunia.com/advisories/43644http://secunia.com/advisories/43734http://sourceforge.net/mailarchive/forum.php?thread_name=4D604843.7040303%40mblmail.net&forum_name=logwatch-develhttp://sourceforge.net/tracker/?func=detail&aid=3184223&group_id=312875&atid=1316824http://www.debian.org/security/2011/dsa-2182http://www.openwall.com/lists/oss-security/2011/02/24/13http://www.openwall.com/lists/oss-security/2011/02/24/15http://www.redhat.com/support/errata/RHSA-2011-0324.htmlhttp://www.securityfocus.com/bid/46554http://www.securitytracker.com/id?1025165http://www.ubuntu.com/usn/USN-1078-1http://www.vupen.com/english/advisories/2011/0533http://www.vupen.com/english/advisories/2011/0581http://www.vupen.com/english/advisories/2011/0596https://bugzilla.redhat.com/show_bug.cgi?id=680237http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055579.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/055585.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/055617.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.htmlhttp://logwatch.svn.sourceforge.net/viewvc/logwatch/scripts/logwatch.pl?r1=3&r2=26&pathrev=26http://secunia.com/advisories/43356http://secunia.com/advisories/43495http://secunia.com/advisories/43622http://secunia.com/advisories/43644http://secunia.com/advisories/43734http://sourceforge.net/mailarchive/forum.php?thread_name=4D604843.7040303%40mblmail.net&forum_name=logwatch-develhttp://sourceforge.net/tracker/?func=detail&aid=3184223&group_id=312875&atid=1316824http://www.debian.org/security/2011/dsa-2182http://www.openwall.com/lists/oss-security/2011/02/24/13http://www.openwall.com/lists/oss-security/2011/02/24/15http://www.redhat.com/support/errata/RHSA-2011-0324.htmlhttp://www.securityfocus.com/bid/46554http://www.securitytracker.com/id?1025165http://www.ubuntu.com/usn/USN-1078-1http://www.vupen.com/english/advisories/2011/0533http://www.vupen.com/english/advisories/2011/0581http://www.vupen.com/english/advisories/2011/0596https://bugzilla.redhat.com/show_bug.cgi?id=680237
2011-02-25
Published