Vulnerability Note VU#105347
XMCD vulnerable to arbitrary file overwriting via symlink redirection of temporary file
xmcd is an x11/motif CD playing utility, in the public domain. cda, the command line interface to xmcd, executes with system administrator privileges. It is vulnerable to a symbolic link attack that may allow a local user to obtain administrator privileges.
cda, the command line interface to xmcd, executes with system administrator privileges. It creates insecure temporary files with predictable names in /tmp, a world-writable directory.
By creating symbolic links with appropriate names, a local attacker may overwrite any writable file on the system. If the attacker can control the content of the overwritten files, elevation of privileges may result.
Apply vendor patches; see the Systems Affected section below.
Remove the setuid protection from cda.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|SuSE||Affected||23 Aug 2001||24 Sep 2001|
|Caldera||Not Affected||27 Sep 2001||27 Sep 2001|
|Debian||Not Affected||27 Sep 2001||27 Sep 2001|
|IBM||Unknown||27 Sep 2001||15 Nov 2001|
|RedHat||Unknown||27 Sep 2001||15 Nov 2001|
|Sequent||Unknown||27 Sep 2001||15 Nov 2001|
CVSS Metrics (Learn More)
This vulnerability was first reported by Paul Starzetz.
This document was last modified by Tim Shimeall.
- CVE IDs: Unknown
- Date Public: 23 Aug 2001
- Date First Published: 15 Nov 2001
- Date Last Updated: 15 Nov 2001
- Severity Metric: 9.98
- Document Revision: 11
If you have feedback, comments, or additional information about this vulnerability, please send us email.