Vulnerability Note VU#426273
KTH Kerberos filesystem race condition on tickets stored in /tmp
There may be a race condition during the creation of Kerberos ticket files in the /tmp directory. This race condition may allow intruders with local access to the system to gain root privileges.
During the creation of ticket files in the /tmp directory, a sequence of calls occur which may allow a local attacker to replace the ticket file with a symbolic link. If this symbolic link is followed when the ownership of the ticket file is set, the attacker may be able to gain ownership of files initially owned by root.
On systems where the sticky bit is not set on the /tmp directory, a local attacker can gain ownership of any file on the system. This allows the attacker to gain root privileges.
This attack may also be possible on systems where the /tmp directory does have its sticky bit set, depending on the exact sequence of calls used to create and set the ownership of the Kerberos ticket file.
Apply a patch from your vendor.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|FreeBSD||Affected||11 Dec 2000||14 Dec 2000|
|Apple||Not Affected||11 Dec 2000||14 Dec 2000|
|Compaq Computer Corporation||Not Affected||11 Dec 2000||14 Dec 2000|
|Fujitsu||Not Affected||11 Dec 2000||11 Jan 2001|
|IBM||Not Affected||11 Dec 2000||14 Dec 2000|
|Microsoft||Not Affected||11 Dec 2000||14 Dec 2000|
|BSDI||Unknown||11 Dec 2000||14 Dec 2000|
|Caldera||Unknown||11 Dec 2000||14 Dec 2000|
|Data General||Unknown||11 Dec 2000||14 Dec 2000|
|Debian||Unknown||11 Dec 2000||14 Dec 2000|
|Hewlett Packard||Unknown||11 Dec 2000||14 Dec 2000|
|KTH Kerberos||Unknown||-||14 Dec 2000|
|NetBSD||Unknown||11 Dec 2000||14 Dec 2000|
|OpenBSD||Unknown||11 Dec 2000||14 Dec 2000|
|RedHat||Unknown||11 Dec 2000||14 Dec 2000|
CVSS Metrics (Learn More)
Thanks to Jouko Pynnönen for reporting this vulnerability to the CERT/CC, and to Assar Westerlund for assisting in the development of this document.
This document was written by Cory F Cohen.
- CVE IDs: Unknown
- Date Public: 09 Dec 2000
- Date First Published: 19 Dec 2000
- Date Last Updated: 11 Jan 2001
- Severity Metric: 8.19
- Document Revision: 9
If you have feedback, comments, or additional information about this vulnerability, please send us email.