|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#405955
util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility
OverviewThe util-linux package contains a race condition vulnerability that can be used to elevate privileges on the system.
I. Descriptionutil-linux is shipped with Red Hat Linux and numerous other Linux distributions. It contains a collection of utility programs, such as fstab, mkfs, and chfn. The BindView RAZOR Team has discovered that because setpwnam.c inadequately locks a temporary file used when making changes to /etc/passwd, a race condition can be used to elevate privileges on the system.
For further details, please see the Bindview Advisory.
II. ImpactA local user may be able to elevate their privileges on the system.
III. SolutionApply a patch from your vendor, or, an immediate workaround (provided by BindView) is to remove setuid flags from /usr/bin/chfn and /usr/bin/chsh. To remediate the vulnerability, patch the source code as follows.
--- util-linux-2.11n-old/login-utils/setpwnam.c Mon Jul 31 08:50:39 2000
+++ util-linux-2.11n/login-utils/setpwnam.c Wed Jun 12 21:37:12 2002
@@ -98,7 +98,8 @@
/* sanity check */
for (x = 0; x < 3; x++) {
if (x > 0) sleep(1);
- fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT, 0644);
+ // Never share the temporary file.
+ fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT|O_EXCL, 0644);
if (fd == -1) {
umask(oldumask);
return -1;
Systems Affected
References
http://www.securityfocus.com/bid/5344
Credit
Thanks to Michal Zalewski, BindView RAZOR, for reporting this vulnerability.
This document was written by Ian A Finlay.
Other Information
| Date Public | 07/29/2002 |
| Date First Published | 07/29/2002 02:57:48 PM |
| Date Last Updated | 05/30/2003 |
| CERT Advisory | |
| CVE Name | CAN-2002-0638 |
| US-CERT Technical Alerts | |
| Metric | 10.97 |
| Document Revision | 18 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|