SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Fileutils (GNU) Vendors:   [Multiple Authors/Vendors]
(Sun Issues Fix) GNU Fileutils Package Race Condition May Allow Local Users to Cause a Root User to Remove the Entire Filesystem
SecurityTracker Alert ID:  1017618
SecurityTracker URL:  http://securitytracker.com/id/1017618
CVE Reference:   CVE-2002-0435   (Links to External Site)
Date:  Feb 9 2007
Impact:   Denial of service via local system, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1 stable and 4.1.6 development version
Description:   A race condition vulnerability was reported in the GNU Fileutils package. A local user may be able to cause the entire filesystem to be removed by a root level user when the root user attempts to remove another directory (under certain conditions).

It is reported that a race condition exists in several components of the GNU fileutils package that may allow a local user to cause the root user to delete the entire filesystem.

According to the report, an insecure chdir("..") syscall is performed after removing the content of a subdirectory in order to get back to the upper directory during recursive removal of directory tree.

Condsider the following example of 'rm -fr /tmp/a' removing '/tmp/a/b/c' directory tree:

(strace output simplified for better readability)

chdir("/tmp/a") = 0
chdir("b") = 0
chdir("c") = 0
chdir("..") = 0
rmdir("c") = 0
chdir("..") = 0
rmdir("b") = 0
fchdir(3) = 0
rmdir("/tmp/a") = 0

In the above example, the race condition occurs after the current directory is changed to /tmp/a/b/c. If a local user then moves the /tmp/a/b/c directory to the /tmp/c directory, the two subsequent chdir("..") syscalls will apparently change to the root directory / and then rm will start removing files from the entire file system (if the calling user has sufficient privileges).
Impact:   A local user may be able to cause the entire filesystem to be removed by a root level user when the root user attempts to remove another directory (under certain conditions).
Solution:   Sun has issued the following fixes.

SPARC Platform

* Solaris 8 with patch 124969-01 or later
* Solaris 9 with patch 123372-02 or later
* Solaris 10 with patch 124244-01 or later

x86 Platform

* Solaris 8 with patch 124970-01 or later
* Solaris 9 with patch 123373-02 or later
* Solaris 10 with patch 124245-01 or later

The Sun advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102782-1
Vendor URL:  www.gnu.org/software/fileutils/fileutils.html (Links to External Site)
Cause:   State error
Underlying OS:   UNIX (Solaris - SunOS)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 12 2002 GNU Fileutils Package Race Condition May Allow Local Users to Cause a Root User to Remove the Entire Filesystem


 Source Message Contents
Date:  Thu, 8 Feb 2007 22:12:34 -0500
Subject:  Security Vulnerability in rm(1) may Lead to Unauthorized Deletion of Files or Directories



http://sunsolve.sun.com/search/document.do?assetkey=1-26-102782-1

CVE-2002-0435


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC