SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#396272

mgetty creates temporary files insecurely

Overview

mgetty, a replacement for getty designed to support modem and fax use, creates files of a predictable name in a world-writable directory without checking for the prior existence or ownership of the file. Using a symbolic link attack, an intruder might cause the overwrite of arbitrary files on the system, but the risk of elevated privileges is low.

I. Description

mgetty uses the faxrunq service to process faxes. This involves use of the world-writable /var/spool/fax/outgoing/ directory to store temporary files. These temporary files are created without checking for prior existence or ownership of the files.

II. Impact

By creating a symbolic link named '.last_run' and pointing towards any existing file, an attacker can cause mgetty to overwrite the file. Since the attacker cannot control the content of the overwritten file, the risk of exploiting this for elevated privileges is low.

III. Solution

Apply vendor patches; see the Systems Affected section below.

Disable the faxrunq service.

Systems Affected

VendorStatusDate NotifiedDate Updated
AppleNot Vulnerable20-Sep-2001
BSDIUnknown20-Sep-2001
CalderaVulnerable13-Sep-2001
CrayNot Vulnerable27-Sep-2001
CrayUnknown20-Sep-2001
Data GeneralUnknown20-Sep-2001
DebianVulnerable13-Sep-2001
DECUnknown20-Sep-2001
FreeBSDVulnerable13-Sep-2001
FujitsuUnknown20-Sep-2001
HPNot Vulnerable20-Sep-2001
IBMNot Vulnerable20-Sep-2001
ImmunixVulnerable13-Sep-2001
MandrakeSoftVulnerable13-Sep-2001
NECUnknown20-Sep-2001
NetBSDNot Vulnerable8-Nov-2001
NeXTUnknown20-Sep-2001
OpenBSDNot Vulnerable20-Sep-2001
RedHatVulnerable20-Sep-2001
SCONot Vulnerable20-Sep-2001
SequentUnknown20-Sep-2001
SGIUnknown20-Sep-2001
SonyUnknown20-Sep-2001
SunUnknown20-Sep-2001
UnisysUnknown20-Sep-2001

References

http://www.securityfocus.com/bid/2187
http://www.caldera.com/support/security/advisories/CSSA-2001-002.0.txt
http://www.linuxsecurity.com/advisories/caldera_advisory-1059.html
http://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00000.html
http://www.linuxsecurity.com/advisories/debian_advisory-1184.html
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:71.mgetty.asc
http://www.linuxsecurity.com/advisories/freebsd_advisory-894.html
http://www.redhat.com/support/errata/RHSA-2001-050.html
http://www.linuxsecurity.com/advisories/redhat_advisory-1321.html
http://www.linux-mandrake.com/en/updates/2001/MDKSA-2001-009.php3?dis=6.1
http://www.linuxsecurity.com/advisories/other_advisory-1034.html

Credit

This vulnerability was first identified by Greg Kroah-Hartman of Immunix.

This document was last changed by Tim Shimeall.

Other Information

Date Public:2001-01-10
Date First Published:2001-10-01
Date Last Updated:2001-11-08
CERT Advisory: 
CVE-ID(s):CAN-2001-0141
NVD-ID(s):CAN-2001-0141
US-CERT Technical Alerts: 
Severity Metric:1.13
Document Revision:17

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader