SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#405955

util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility

Overview

The util-linux package contains a race condition vulnerability that can be used to elevate privileges on the system.

I. Description

util-linux is shipped with Red Hat Linux and numerous other Linux distributions. It contains a collection of utility programs, such as fstab, mkfs, and chfn. The BindView RAZOR Team has discovered that because setpwnam.c inadequately locks a temporary file used when making changes to /etc/passwd, a race condition can be used to elevate privileges on the system.

For further details, please see the Bindview Advisory.

II. Impact

A local user may be able to elevate their privileges on the system.

III. Solution

Apply a patch from your vendor, or, an immediate workaround (provided by BindView) is to remove setuid flags from /usr/bin/chfn and /usr/bin/chsh. To remediate the vulnerability, patch the source code as follows.


--- util-linux-2.11n-old/login-utils/setpwnam.c Mon Jul 31 08:50:39 2000
+++ util-linux-2.11n/login-utils/setpwnam.c     Wed Jun 12 21:37:12 2002
@@ -98,7 +98,8 @@
    /* sanity check */
    for (x = 0; x < 3; x++) {
       if (x > 0) sleep(1);
-       fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT, 0644);
+        // Never share the temporary file.
+       fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT|O_EXCL, 0644);
       if (fd == -1) {
           umask(oldumask);
           return -1;

Systems Affected

VendorStatusDate Updated
3ComUnknown10-Jul-2002
AlcatelNot Vulnerable24-Jul-2002
Apple Computer Inc.Unknown10-Jul-2002
AT&TUnknown28-Jun-2002
BSDIUnknown10-Jul-2002
Cisco Systems Inc.Unknown28-Jun-2002
Compaq Computer CorporationUnknown10-Jul-2002
Computer AssociatesUnknown10-Jul-2002
Cray Inc.Not Vulnerable10-Jul-2002
Data GeneralUnknown10-Jul-2002
DebianNot Vulnerable27-Jun-2002
F5 NetworksUnknown28-Jun-2002
FreeBSDUnknown10-Jul-2002
FujitsuUnknown28-Jun-2002
Guardian Digital Inc. Unknown10-Jul-2002
Hewlett-Packard CompanyUnknown27-Jun-2002
IBMNot Vulnerable17-Jul-2002
IntelUnknown28-Jun-2002
Juniper NetworksUnknown28-Jun-2002
LachmanUnknown10-Jul-2002
Lotus SoftwareNot Vulnerable11-Jul-2002
Lucent TechnologiesUnknown27-Jun-2002
MandrakeSoftUnknown28-Jun-2002
Microsoft CorporationNot Vulnerable12-Jul-2002
MultinetUnknown10-Jul-2002
NEC CorporationUnknown28-Jun-2002
NetBSDNot Vulnerable12-Jul-2002
Network ApplianceUnknown28-Jun-2002
Nortel NetworksUnknown10-Jul-2002
OpenBSDUnknown28-Jun-2002
Openwall GNU/*/LinuxNot Vulnerable15-Aug-2002
Oracle CorporationUnknown28-Jun-2002
Red Hat Inc.Vulnerable10-Jul-2002
SequentUnknown28-Jun-2002
SGIUnknown10-Jul-2002
Sony CorporationUnknown28-Jun-2002
Sun Microsystems Inc.Vulnerable17-Jul-2002
SuSE Inc.Not Vulnerable15-Jul-2002
The SCO Group (SCO Linux)Vulnerable30-Oct-2002
Unisphere NetworksUnknown28-Jun-2002
UnisysUnknown10-Jul-2002
Wind River Systems Inc.Unknown10-Jul-2002
Xerox CorporationNot Vulnerable30-May-2003

References


http://www.securityfocus.com/bid/5344

Credit

Thanks to Michal Zalewski, BindView RAZOR, for reporting this vulnerability.

This document was written by Ian A Finlay.

Other Information

Date Public07/29/2002
Date First Published07/29/2002 02:57:48 PM
Date Last Updated05/30/2003
CERT Advisory 
CVE NameCAN-2002-0638
US-CERT Technical Alerts 
Metric10.97
Document Revision18

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader