Several SuSE Scripts Use Unsafe Temporary Files and May Allow Local Users to Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1008781
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 20 2004
|
Impact: Modification of system information, Modification of user information, Root access via local system, User access via local system
|
Description: Vulnerabilities were reported in several scripts shipped with SuSE Linux. A local user may be able to gain elevated privileges.
l0om reported that the following SuSE Linux 9.0 scripts use temporary files in an unsafe manner:
/usr/X11R6/bin/fvwm-bug
/usr/X11R6/bin/wm-oldmenu2new
/usr/X11R6/bin/x11perfcomp
/usr/X11R6/bin/xf86debug
/opt/kde3/bin/winpopup-send.sh
/sbin/lvmcreate_initrd
A local user
may be able to create a symbolic link from a critical file on the system to one of the potential temporary files. Then, when the
affected script is executed, the symlinked file may be modified or overwritten by the script.
The specific impact depends on
how the script is called and the privileges of the calling function.
|
Impact: A local user may be able to cause arbitrary files to be modified or overwritten with the privileges of another user or process.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.suse.de/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (SuSE)
|
Underlying OS Comments: 9.0
|
Reported By: Rene <l0om@excluded.org>
|
Message History:
None.
|
Source Message Contents
|
Date: 20 Jan 2004 14:48:31 -0000
From: Rene <l0om@excluded.org>
Subject: [SuSE 9.0] possible symlink attacks in some scripts
|
Product: some scripts shipped with suse 9.0
Date: 20.01.2004
Author: l0om <l0om@excluded.org>
greetings,
i have done a litte reseach on a SuSE linux 9.0 box
for possible symlink attacks. i have checked nearly
every script i could found on the system. i havent
found much and nothing very special.i dont have a
clue if the following scripts are somewhere on the
system executed but maybe someone useses them in a
script or something like that.
**
/usr/X11R6/bin/fvwm-bug
[...]
TEMP=/tmp/fvwm-bug.$$
[...]
cat > $TEMP <<EOF
[...]
**
/usr/X11R6/bin/wm-oldmenu2new
[...]
T=/tmp/wmmenu$$
[...]
cp $OLD_MENU $T-c
[...]
**
/usr/X11R6/bin/x11perfcomp
[...]
tmp=${TMPDIR-/tmp}/rates.$$
mkdir $tmp || exit 1
[...]
mkdir $tmp/rates
[...]
-l) cp $2 $tmp/labels
[...]
rm -rf $tmp
[...]
**
/usr/X11R6/bin/xf86debug
[...]
gdb << EOF &> /tmp/xf86debug.1.log
echo "Debugger output written to /tmp/
xf86debug.1.log." #thx for that info
[...]
**
/opt/kde3/bin/winpopup-send.sh
echo "$2" > /tmp/.winpopup-new
echo `date +"%a %l:%m %p"` >> /tmp/.winpopup-new
cat "$1" | tr "\000" "\012" >> /tmp/.winpopup-new
mv -f /tmp/.winpopup-new /tmp/.winpopup
**
/sbin/lvmcreate_initrd
[...]
DEVRAM=/tmp/initrd.$$
[...]
verbose "using $DEVRAM as a temporary loopback file"
#thx for that info
dd if=/dev/zero of=$DEVRAM count=$INITRDSIZE bs=1024
> /dev/null 2>&1
[...]
********** greets @ proxy, takt, maximilian, sirius,
dna, fe2k, xnet, zexl
rest of excluded.org
nofx, rancid, bad religion, less
than jake ...
www.excluded.org --l0om
have Phun!
|
|
