Vulnerability Note VU#396272

mgetty creates temporary files insecurely

Original Release date: 01 Oct 2001 | Last revised: 08 Nov 2001

Overview

mgetty, a replacement for getty designed to support modem and fax use, creates files of a predictable name in a world-writable directory without checking for the prior existence or ownership of the file. Using a symbolic link attack, an intruder might cause the overwrite of arbitrary files on the system, but the risk of elevated privileges is low.

Description

mgetty uses the faxrunq service to process faxes. This involves use of the world-writable /var/spool/fax/outgoing/ directory to store temporary files. These temporary files are created without checking for prior existence or ownership of the files.

Impact

By creating a symbolic link named '.last_run' and pointing towards any existing file, an attacker can cause mgetty to overwrite the file. Since the attacker cannot control the content of the overwritten file, the risk of exploiting this for elevated privileges is low.

Solution

Apply vendor patches; see the Systems Affected section below.

Disable the faxrunq service.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
CalderaAffected10 Jan 200113 Sep 2001
DebianAffected06 Mar 200113 Sep 2001
FreeBSDAffected20 Sep 200013 Sep 2001
ImmunixAffected10 Jan 200113 Sep 2001
MandrakeSoftAffected10 Jan 200113 Sep 2001
RedHatAffected18 Sep 200120 Sep 2001
AppleNot Affected18 Sep 200120 Sep 2001
CrayNot Affected18 Sep 200127 Sep 2001
HPNot Affected18 Sep 200120 Sep 2001
IBMNot Affected18 Sep 200120 Sep 2001
NetBSDNot Affected18 Sep 200108 Nov 2001
OpenBSDNot Affected18 Sep 200120 Sep 2001
SCONot Affected18 Sep 200120 Sep 2001
BSDIUnknown18 Sep 200120 Sep 2001
CrayUnknown18 Sep 200120 Sep 2001
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was first identified by Greg Kroah-Hartman of Immunix.

This document was last changed by Tim Shimeall.

Other Information

  • CVE IDs: CAN-2001-0141
  • Date Public: 10 Jan 2001
  • Date First Published: 01 Oct 2001
  • Date Last Updated: 08 Nov 2001
  • Severity Metric: 1.13
  • Document Revision: 17

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.