SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Util-linux Vendors:   Valente, Salvatore et al
(Trustix Issues Fix) Util-linux Collection of Utilities Contains a File Sharing Flaw and Race Condition That Allows Local Users to Gain Root Privileges
SecurityTracker Alert ID:  1004894
SecurityTracker URL:  http://securitytracker.com/id/1004894
CVE Reference:   CVE-2002-0638   (Links to External Site)
Date:  Jul 31 2002
Impact:   Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in a shared component of the 'util-linux' collection of utilities for Linux. A local user can gain root access on the system.

It is reported that the 'setpwnam.c' shared component contains a file access and state flaw that affects several of the utilities in the 'util-linux' collection. The vulnerability can reportedly be exploited through the 'chfn' utility, which is apparently configured with set user id (suid) root privileges. The 'chfn' utility is provided to allow users to modify the personal information stored in the /etc/passwd file and, because of that, must have root privileges. The exploit involves modifying /etc/passwd, as described below and (in greater detail) in the Source Message.

In the 'login-utils/setpwanam.c' file, the code opens the '/etc/ptmptmp' file with O_WRONLY|O_CREAT flags and 0644 permissions. This file is then linked to '/etc/ptmp' (the process will exit on failure) and '/etc/ptmptmp' is removed. The file descriptor originally obtained is later used for writing data to create the new '/etc/passwd/' contents using the fputs() function. When writing is completed, '/etc/passwd.OLD' is removed, '/etc/passwd' is linked to '/etc/passwd.OLD', and '/etc/ptmp' is renamed to '/etc/passwd'.

The vulnerability arises when the calling process is terminated abnormally, leaving the '/etc/ptmp'. This effective creates a lock on all calling applications, causing the administrator to have to manually remove the file.

If the calling process (chfn, for example) is stopped by SIGSTOP after the '/etc/ptmptmp' file is linked to '/etc/ptmp' but before '/etc/ptmptmp' is removed, and then the administrator removes the '/etc/ptmp' file, a local user can execute another copy of the calling process (chfn), opening the existing '/etc/ptmptmp' and writing the file successfully. The local user can then restart the original process using SIGCONT (which still has an open file descriptor to '/etc/ptmptmp' [later changed to '/etc/ptmp'], resulting in the file being renamed to '/etc/passwd'.

Certain care must be taken to properly control the contents written to the file (see the Source Message for a detailed description of the necessary steps).

Impact:   A local user may be able to write arbitrary data to the '/etc/passwd' file to gain root privileges on the system.
Solution:   Trustix has released a fix, available at:

<URI:http://www.trustix.net/pub/Trustix/updates/>
<URI:ftp://ftp.trustix.net/pub/Trustix/updates/>

Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'.

Get SWUP from:
<URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


MD5sums of the packages:

bc36648127dc1ea5fc9d6dc80506b5a9 ./1.5/SRPMS/util-linux-2.11f-7tr.src.rpm
b4b7b0e7bb7ceea67ffe3c3e3e036a34 ./1.5/RPMS/util-linux-2.11f-7tr.i586.rpm
04369204aa84be55fd1d8f49debd0303 ./1.5/RPMS/mount-2.11f-7tr.i586.rpm
4c1805a7db97253e6f10dc8619539bdd ./1.5/RPMS/losetup-2.11f-7tr.i586.rpm
bc36648127dc1ea5fc9d6dc80506b5a9 ./1.2/SRPMS/util-linux-2.11f-7tr.src.rpm
4899c74f0729313bf4ffb36134b7e97d ./1.2/RPMS/util-linux-2.11f-7tr.i586.rpm
41c030349b57ce43fc78a857dab06fda ./1.2/RPMS/mount-2.11f-7tr.i586.rpm
68c2d6e60a4c6f9beb11a7168179243d ./1.2/RPMS/losetup-2.11f-7tr.i586.rpm
bc36648127dc1ea5fc9d6dc80506b5a9 ./1.1/SRPMS/util-linux-2.11f-7tr.src.rpm
5983543f12f5eafcb08e057c7f06d296 ./1.1/RPMS/util-linux-2.11f-7tr.i586.rpm
1885bec83a157c8f1053a47abd12937a ./1.1/RPMS/mount-2.11f-7tr.i586.rpm
56e7648d0acff52cd90bbc0ca39796aa ./1.1/RPMS/losetup-2.11f-7tr.i586.rpm
8f1f2c235fdf639162d4887fc012c473 ./1.1/SRPMS/bash-2.03-11tr.src.rpm
090ef872b22505d8d97e1aa641d6724b ./1.1/RPMS/bash-doc-2.03-11tr.i586.rpm
9d47b28a76c756c156e0678c93fef773 ./1.1/RPMS/bash-2.03-11tr.i586.rpm

Cause:   Access control error, State error
Underlying OS:  Linux (Trustix)
Underlying OS Comments:  1.1, 1.2, 1.5

Message History:   This archive entry is a follow-up to the message listed below.
Jul 30 2002 Util-linux Collection of Utilities Contains a File Sharing Flaw and Race Condition That Allows Local Users to Gain Root Privileges



 Source Message Contents

Subject:  TSLSA-2002-0064 util-linux


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0064

Package name:      util-linux
Summary:           local problem
Date:              2002-07-30
Affected versions: TSL 1.1, 1.2, 1.5

- --------------------------------------------------------------------------

Problem description:
  The chfn feature of the util-linux package shipped with all versions
  of TSL suffers from a locally exploitable file locking problem.

  With some interference from the system administrator a attacker could
  gain escalated privilegies.

  As a result of upgrading the some what old TSL 1.1 release, the bash 
  packages for TSL 1.1 are also updated.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2002-0638 to this issue.


Action:
  We recommend that all systems with this package installed are upgraded.


Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://www.trustix.net/pub/Trustix/testing/>
  <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.net/errata/trustix-1.2/> and
  <URI:http://www.trustix.net/errata/trustix-1.5/>
  or directly at
  <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0064-util-linux.asc.txt>


MD5sums of the packages:
- --------------------------------------------------------------------------
bc36648127dc1ea5fc9d6dc80506b5a9  ./1.5/SRPMS/util-linux-2.11f-7tr.src.rpm
b4b7b0e7bb7ceea67ffe3c3e3e036a34  ./1.5/RPMS/util-linux-2.11f-7tr.i586.rpm
04369204aa84be55fd1d8f49debd0303  ./1.5/RPMS/mount-2.11f-7tr.i586.rpm
4c1805a7db97253e6f10dc8619539bdd  ./1.5/RPMS/losetup-2.11f-7tr.i586.rpm
bc36648127dc1ea5fc9d6dc80506b5a9  ./1.2/SRPMS/util-linux-2.11f-7tr.src.rpm
4899c74f0729313bf4ffb36134b7e97d  ./1.2/RPMS/util-linux-2.11f-7tr.i586.rpm
41c030349b57ce43fc78a857dab06fda  ./1.2/RPMS/mount-2.11f-7tr.i586.rpm
68c2d6e60a4c6f9beb11a7168179243d  ./1.2/RPMS/losetup-2.11f-7tr.i586.rpm
bc36648127dc1ea5fc9d6dc80506b5a9  ./1.1/SRPMS/util-linux-2.11f-7tr.src.rpm
5983543f12f5eafcb08e057c7f06d296  ./1.1/RPMS/util-linux-2.11f-7tr.i586.rpm
1885bec83a157c8f1053a47abd12937a  ./1.1/RPMS/mount-2.11f-7tr.i586.rpm
56e7648d0acff52cd90bbc0ca39796aa  ./1.1/RPMS/losetup-2.11f-7tr.i586.rpm
8f1f2c235fdf639162d4887fc012c473  ./1.1/SRPMS/bash-2.03-11tr.src.rpm
090ef872b22505d8d97e1aa641d6724b  ./1.1/RPMS/bash-doc-2.03-11tr.i586.rpm
9d47b28a76c756c156e0678c93fef773  ./1.1/RPMS/bash-2.03-11tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9RlhmwRTcg4BxxS0RAukJAJwKtkcOyfPOHGF8fDscZ+PqlQNYxQCfYbR5
YRInF9CpsvSjOxDvlXDk/9I=
=umpo
-----END PGP SIGNATURE-----

_______________________________________________
tsl-announce mailing list
tsl-announce@trustix.org
http://www.trustix.org/mailman/listinfo.cgi/tsl-announce


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC