CERT home
vulnerabilities & fixesevaluations & practicesresearch & analysistraining & education
homesearchFAQsite indexcontact
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

Vulnerability Note VU#396272

mgetty creates temporary files insecurely

Overview

mgetty, a replacement for getty designed to support modem and fax use, creates files of a predictable name in a world-writable directory without checking for the prior existence or ownership of the file. Using a symbolic link attack, an intruder might cause the overwrite of arbitrary files on the system, but the risk of elevated privileges is low.

I. Description

mgetty uses the faxrunq service to process faxes. This involves use of the world-writable /var/spool/fax/outgoing/ directory to store temporary files. These temporary files are created without checking for prior existence or ownership of the files.

II. Impact

By creating a symbolic link named '.last_run' and pointing towards any existing file, an attacker can cause mgetty to overwrite the file. Since the attacker cannot control the content of the overwritten file, the risk of exploiting this for elevated privileges is low.

III. Solution

Apply vendor patches; see the Systems Affected section below.

Disable the faxrunq service.

Systems Affected

VendorStatusDate Updated
AppleNot Vulnerable20-Sep-2001
BSDIUnknown20-Sep-2001
CalderaVulnerable13-Sep-2001
CrayNot Vulnerable27-Sep-2001
CrayUnknown20-Sep-2001
Data GeneralUnknown20-Sep-2001
DebianVulnerable13-Sep-2001
DECUnknown20-Sep-2001
FreeBSDVulnerable13-Sep-2001
FujitsuUnknown20-Sep-2001
HPNot Vulnerable20-Sep-2001
IBMNot Vulnerable20-Sep-2001
ImmunixVulnerable13-Sep-2001
MandrakeSoftVulnerable13-Sep-2001
NECUnknown20-Sep-2001
NetBSDNot Vulnerable8-Nov-2001
NeXTUnknown20-Sep-2001
OpenBSDNot Vulnerable20-Sep-2001
RedHatVulnerable20-Sep-2001
SCONot Vulnerable20-Sep-2001
SequentUnknown20-Sep-2001
SGIUnknown20-Sep-2001
SonyUnknown20-Sep-2001
SunUnknown20-Sep-2001
UnisysUnknown20-Sep-2001

References


http://www.securityfocus.com/bid/2187
http://www.caldera.com/support/security/advisories/CSSA-2001-002.0.txt
http://www.linuxsecurity.com/advisories/caldera_advisory-1059.html
http://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00000.html
http://www.linuxsecurity.com/advisories/debian_advisory-1184.html
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:71.mgetty.asc
http://www.linuxsecurity.com/advisories/freebsd_advisory-894.html
http://www.redhat.com/support/errata/RHSA-2001-050.html
http://www.linuxsecurity.com/advisories/redhat_advisory-1321.html
http://www.linux-mandrake.com/en/updates/2001/MDKSA-2001-009.php3?dis=6.1
http://www.linuxsecurity.com/advisories/other_advisory-1034.html

Credit

This vulnerability was first identified by Greg Kroah-Hartman of Immunix.

This document was last changed by Tim Shimeall.

Other Information

Date Public01/10/2001
Date First Published10/01/2001 01:07:23 PM
Date Last Updated11/08/2001
CERT Advisory 
CVE NameCAN-2001-0141
Metric1.13
Document Revision17

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Copyright 2001 Carnegie Mellon University