CVE-2014-0476
published 2014-10-25CVE-2014-0476: The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse…
PriorityP426low3.7CVSS 2.0
AVLACHAuNCPIPAP
EXPLOIT
EPSS
3.83%
88.8th percentile
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| chkrootkit | chkrootkit | <= 0.49 | — |
| chkrootkit | chkrootkit | >= 0 < 0.49-5 | 0.49-5 |
| chkrootkit | chkrootkit | >= 0 < 0.49-5 | 0.49-5 |
| chkrootkit | chkrootkit | >= 0 < 0.49-5 | 0.49-5 |
| chkrootkit | chkrootkit | >= 0 < 0.49-5 | 0.49-5 |
| debian | chkrootkit | < chkrootkit 0.49-5 (bookworm) | chkrootkit 0.49-5 (bookworm) |
CVSS provenance
nvdv2.03.7LOWAV:L/AC:H/Au:N/C:P/I:P/A:P
osv3.7LOW
vendor_debian3.7LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f6jc-6vm7-jv5m: The slapper function in chkrootkit before 0
ghsa_unreviewed·2022-05-17
CVE-2014-0476 [LOW] CWE-20 GHSA-f6jc-6vm7-jv5m: The slapper function in chkrootkit before 0
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.
OSV
CVE-2014-0476: The slapper function in chkrootkit before 0
osv·2014-10-25·CVSS 3.7
CVE-2014-0476 [LOW] CVE-2014-0476: The slapper function in chkrootkit before 0
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.
Ubuntu
chkrootkit vulnerability
vendor_ubuntu·2014-06-04
CVE-2014-0476 chkrootkit vulnerability
Title: chkrootkit vulnerability
Summary: chkrootkit could be made to run programs as an administrator.
Thomas Stangner discovered that chkrootkit incorrectly quoted certain
values. A local attacker could use this issue to execute arbitrary code
when chkrootkit is run and gain root privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2014-0476: chkrootkit - The slapper function in chkrootkit before 0.50 does not properly quote file path...
vendor_debian·2014·CVSS 3.7
CVE-2014-0476 [LOW] CVE-2014-0476: chkrootkit - The slapper function in chkrootkit before 0.50 does not properly quote file path...
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.
Scope: local
bookworm: resolved (fixed in 0.49-5)
bullseye: resolved (fixed in 0.49-5)
forky: resolved (fixed in 0.49-5)
sid: resolved (fixed in 0.49-5)
trixie: resolved (fixed in 0.49-5)
No detection rules found.
Exploit-DB
Chkrootkit - Local Privilege Escalation (Metasploit)
exploitdb·2015-11-20
CVE-2014-0476 Chkrootkit - Local Privilege Escalation (Metasploit)
Chkrootkit - Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit4 'Chkrootkit Local Privilege Escalation',
'Description' => %q{
Chkrootkit before 0.50 will run any executable file named
/tmp/update as root, allowing a trivial privsec.
WfsDelay is set to 24h, since this is how often a chkrootkit
scan is scheduled by default.
},
'Author' => [
'Thomas Stangner', # Original exploit
'Julien "jvoisin" Voisin' # Metasploit module
],
'References' => [
['CVE', '2014-0476'],
['OSVDB', '107710'],
['EDB', '33899'],
['BID', '67813'],
['CWE', '20'],
['URL', 'http://seclists.org/oss-sec/2014/q2/430']
],
'DisclosureDate' => 'Jun 04 2014',
'License' => MSF_LI
Exploit-DB
Chkrootkit 0.49 - Local Privilege Escalation
exploitdb·2014-06-28
CVE-2014-0476 Chkrootkit 0.49 - Local Privilege Escalation
Chkrootkit 0.49 - Local Privilege Escalation
---
We just found a serious vulnerability in the chkrootkit package, which
may allow local attackers to gain root access to a box in certain
configurations (/tmp not mounted noexec).
The vulnerability is located in the function slapper() in the
shellscript chkrootkit:
#
# SLAPPER.{A,B,C,D} and the multi-platform variant
#
slapper (){
SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a
SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
OPT=-an
STATUS=0
file_port=
if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}">
/dev/null 2>&1
then
STATUS=1
[ "$SYSTEM" = "Linux" ] &&
Metasploit
Chkrootkit Local Privilege Escalation
metasploit
Chkrootkit Local Privilege Escalation
Chkrootkit Local Privilege Escalation
Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privilege escalation. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default.
Bugzilla
CVE-2014-0476 chkrootkit: local privilege escalation
bugzilla·2014-06-04·CVSS 3.7
CVE-2014-0476 [LOW] CVE-2014-0476 chkrootkit: local privilege escalation
CVE-2014-0476 chkrootkit: local privilege escalation
A quoting issue was found in chkrootkit which would lead to a file in /tmp/ being executed, if /tmp/ was mounted without the noexec option. chkrootkit is typically run as the root user. A local attacker could use this flaw to escalate their privileges.
The problematic part was:
file_port=$file_port $i
Which is changed to file_port="$file_port $i" to fix the issue. From the Debian diff:
--- chkrootkit-0.49.orig/debian/patches/CVE-2014-0476.patch
+++ chkrootkit-0.49/debian/patches/CVE-2014-0476.patch
@@ -0,0 +1,13 @@
+Index: chkrootkit/chkrootkit
+===================================================================
+--- chkrootkit.orig/chkrootkit
++++ chkrootkit/chkrootkit
+@@ -117,7 +117,7 @@ slapper (){
+ fi
+ for i in ${SLAPPER_FILE
Bugzilla
CVE-2014-0476 chkrootkit: local privilege escalation [fedora-all]
bugzilla·2014-06-04·CVSS 3.7
CVE-2014-0476 [LOW] CVE-2014-0476 chkrootkit: local privilege escalation [fedora-all]
CVE-2014-0476 chkrootkit: local privilege escalation [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2014-0476 chkrootkit: local privilege escalation [epel-all]
bugzilla·2014-06-04·CVSS 3.7
CVE-2014-0476 [LOW] CVE-2014-0476 chkrootkit: local privilege escalation [epel-all]
CVE-2014-0476 chkrootkit: local privilege escalation [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, use the bodhi submission link noted
in the next comment(s). This will include the bug IDs of this tracking
bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
NOTE: this issue affects multiple supported
http://osvdb.org/show/osvdb/107710http://packetstormsecurity.com/files/134484/Chkrootkit-Local-Privilege-Escalation.htmlhttp://www.chkrootkit.org/http://www.debian.org/security/2014/dsa-2945http://www.openwall.com/lists/oss-security/2014/06/04/9http://www.ubuntu.com/usn/USN-2230-1https://security.gentoo.org/glsa/201709-05https://www.exploit-db.com/exploits/38775/http://osvdb.org/show/osvdb/107710http://packetstormsecurity.com/files/134484/Chkrootkit-Local-Privilege-Escalation.htmlhttp://www.chkrootkit.org/http://www.debian.org/security/2014/dsa-2945http://www.openwall.com/lists/oss-security/2014/06/04/9http://www.ubuntu.com/usn/USN-2230-1https://security.gentoo.org/glsa/201709-05https://www.exploit-db.com/exploits/38775/
2014-10-25
Published