bzip2 Race Condition Lets Local Users Modify Permissions of Certain Files
SecurityTracker Alert ID: 1013629|
SecurityTracker URL: http://securitytracker.com/id/1013629
(Links to External Site)
Updated: Jun 30 2008|
Original Entry Date: Apr 2 2005
Modification of system information, Modification of user information|
Exploit Included: Yes |
Version(s): 1.0.2 and prior versions|
A file permission vulnerability was reported in bzip2. A local user can change the permissions of certain files on the target system.|
A local user with write access to a directory that the target user is using bzip2 with to extract or compress a file can change the permissions on any file owned by the target user.
When extracting a file, the software applies the permissions of a compressed file to the uncompressed file. However, there is a time period between when the file handle for the uncompressed file is closed and the permissions are changed. A local user can exploit this race condition by replacing the decompressed file with a hardlink to another file on the target system during that time period. The hardlinked file's permissions will be changed to the permissions of the compressed bzip2 file.
A local user can cause the permissions on files owned by the target user to be changed when the target user decompresses a file using bzip2.|
No vendor solution was available at the time of this entry.|
As a workaround, the author of the report indicates that you can make sure that any directory that is being used by bzip2 to compress/decompress files is only writeable by the user or you can set the sticky bit on the directory's permissions.
Vendor URL: sources.redhat.com/bzip2/ (Links to External Site)
Access control error, State error|
Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Wed, 30 Mar 2005 22:38:55 +0100|
Subject: bzip2 TOCTOU file-permissions vulnerability
bzip2 TOCTOU file-permissions vulnerability
Software URL: <http://sources.redhat.com/bzip2/>
Platform: Unix, Linux.
Vulnerability type: Time-of-Check-Time-Of-Use
Severity: Low, requires local attacker and badly set directory permissions.
bzip2 1.0.2 and previous versions running on unix.
bzip2 1.0.2 compiled for Windows using lcc or MS Visual C++ is not effected.
If a malicious local user has write access to a directory in which a
target user is using bzip2 to extract or compress a file to then a
TOCTOU bug can be exploited to change the permission of any file
belonging to that user.
On decompressing bzip2 copies the permissions from the compressed
bzip2 file to the
uncompressed file. However there is a gap between the uncompressed
file being written (and it's file handler being close) and the
permissions of the file being changed.
During this gap a malicious user can remove the decompressed file and
replace it with a hard-link to another file belonging to the user.
bzip2 will then change the permissions on the hard-linked file to be
the same as that of the bzip2 file.
Ensure that any directory which is being used by bzip2 to
compress/decompress files is only writeable by the user or
alternatively set the sticky bit on the directory's permissions