Vulnerability Note VU#405955

util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility

Original Release date: 29 Jul 2002 | Last revised: 30 May 2003

Overview

The util-linux package contains a race condition vulnerability that can be used to elevate privileges on the system.

Description

util-linux is shipped with Red Hat Linux and numerous other Linux distributions. It contains a collection of utility programs, such as fstab, mkfs, and chfn. The BindView RAZOR Team has discovered that because setpwnam.c inadequately locks a temporary file used when making changes to /etc/passwd, a race condition can be used to elevate privileges on the system.

For further details, please see the Bindview Advisory.

Impact

A local user may be able to elevate their privileges on the system.

Solution

Apply a patch from your vendor, or, an immediate workaround (provided by BindView) is to remove setuid flags from /usr/bin/chfn and /usr/bin/chsh. To remediate the vulnerability, patch the source code as follows.

--- util-linux-2.11n-old/login-utils/setpwnam.c Mon Jul 31 08:50:39 2000
+++ util-linux-2.11n/login-utils/setpwnam.c     Wed Jun 12 21:37:12 2002
@@ -98,7 +98,8 @@
    /* sanity check */
    for (x = 0; x < 3; x++) {
       if (x > 0) sleep(1);
-       fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT, 0644);
+        // Never share the temporary file.
+       fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT|O_EXCL, 0644);
       if (fd == -1) {
           umask(oldumask);
           return -1;

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Red Hat Inc.Affected26 Jun 200210 Jul 2002
Sun Microsystems Inc.Affected26 Jun 200217 Jul 2002
The SCO Group (SCO Linux)Affected26 Jun 200230 Oct 2002
AlcatelNot Affected26 Jun 200224 Jul 2002
Cray Inc.Not Affected26 Jun 200210 Jul 2002
DebianNot Affected26 Jun 200227 Jun 2002
IBMNot Affected26 Jun 200217 Jul 2002
Lotus SoftwareNot Affected26 Jun 200211 Jul 2002
Microsoft CorporationNot Affected26 Jun 200212 Jul 2002
NetBSDNot Affected26 Jun 200212 Jul 2002
Openwall GNU/*/LinuxNot Affected-15 Aug 2002
SuSE Inc.Not Affected26 Jun 200215 Jul 2002
Xerox CorporationNot Affected26 Jun 200230 May 2003
3ComUnknown26 Jun 200210 Jul 2002
Apple Computer Inc.Unknown26 Jun 200210 Jul 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Michal Zalewski, BindView RAZOR, for reporting this vulnerability.

This document was written by Ian A Finlay.

Other Information

  • CVE IDs: CAN-2002-0638
  • Date Public: 29 Jul 2002
  • Date First Published: 29 Jul 2002
  • Date Last Updated: 30 May 2003
  • Severity Metric: 10.97
  • Document Revision: 18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.