mgetty, a replacement for getty designed to support modem and fax use, creates files of a predictable name in a world-writable directory without checking for the prior existence or ownership of the file. Using a symbolic link attack, an intruder might cause the overwrite of arbitrary files on the system, but the risk of elevated privileges is low.
mgetty uses the faxrunq service to process faxes. This involves use of the world-writable /var/spool/fax/outgoing/ directory to store temporary files. These temporary files are created without checking for prior existence or ownership of the files.
By creating a symbolic link named '.last_run' and pointing towards any existing file, an attacker can cause mgetty to overwrite the file. Since the attacker cannot control the content of the overwritten file, the risk of exploiting this for elevated privileges is low.
Apply vendor patches; see the Systems Affected section below.
Disable the faxrunq service.
This vulnerability was first identified by Greg Kroah-Hartman of Immunix.
This document was last changed by Tim Shimeall.
|Date First Published:||2001-10-01|
|Date Last Updated:||2001-11-08 18:10 UTC|