SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Util-linux Vendors:   [Multiple Authors/Vendors]
Util-linux Package Contains 'Script' Command With Hard Link Flaw That May Let Local Users Overwrite Any File on the System in Certain Situations
SecurityTracker Alert ID:  1002963
SecurityTracker URL:  http://securitytracker.com/id/1002963
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 13 2001
Impact:   Denial of service via local system, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in the util-linux package in the 'script' command. A local user could cause any file on the system to be overwritten when a root-level user executes the script command.

It is reported that the 'script' command of the util-linux package contains a hardlink vulnerability which could cause any file on the disk to be overwritten.

Script is a tool to save terminal sessions for later reference. By default, script apparently creates a file called 'typescript' as a log file. A log user could create a hardlink from this file to any file on the system. If script is then run by a root level user, the script tool will overwrite the hardlinked file. Script reportedly checks for symbolic links but not hard links.

Impact:   A local user could create a hard link to a sensitive file that will be overwritten when a root-level user executes the 'script' command.
Solution:   The vendor has reportedly released a fixed version (apparently version 2.11n), available at the Vendor URL.
Vendor URL:  freshmeat.net/projects/util-linux/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Tested on Slackware Linux

Message History:   None.


 Source Message Contents

Subject:  Silly 'script' hardlink bug


Hi,
I found this, small bug, you might like it :)
tested on a slackware linux.

/*
-------------------------------------------------------
Title: Silly hardlink vulnerability in 'script' command
Software Author: yet unknown
Bug found by: Marco van Berkum (m.v.berkum@obit.nl)
Date: 12-12-2001
Priority: low
-------------------------------------------------------

Script command
--------------
The script command which is part of the util-linux
package contains a silly hardlink vulnerability which
could overwrite any file on the harddisk. Script is a
tool to save terminal sessions for later reference.
By default script creates a file called typescript
for its log.

The problem
-----------
Very simple, script (when executed as root) overwrites
hardlinks that could be set by any user to any file on
the harddisk. For instance, a malicious user can place
a hardlink 'typescript' to /etc/passwd (or any other file)
in his home directory. If the root user would execute
script in that directory it would cause script to
overwrite that file. Script does check for symlinks and
asks if the symlink should be overwritten, it lacks
checking hardlinks.

Priority
--------
Low, its not likely that root users execute script
in a user's home directory. They could though, its
a minor problem that must be fixed for that reason.

Author
------
Still looking for the correct person

*/

just my 2 cents,
Marco van Berkum
--
GCC dpu s:--- a- C+++ US++++ P++ L+++ E---- W N o-- K w---
O- M-- V-- PS+++ PE-- Y+ PGP--- t--- 5 X R* tv++ b+++ DI-- D----
G++ e- h+ r y*
+---------------------+------------------+-------------------+
|  Marco van Berkum   |   MB17300-RIPE   | Security Engineer |
|  http://ws.obit.nl  | "Chernobyl used  | Network Admin     |
|  m.v.berkum@obit.nl |     Windows"     |      UNIX         |
+---------------------+------------------+-------------------+


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC