Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   EMC NetWorker Vendors:   Legato Systems, Inc.
NetWorker 'nsr_shutdown' Unsafe Temporary File May Let Local Users Gain Root Privileges
SecurityTracker Alert ID:  1008801
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 21 2004
Impact:   Modification of system information, Root access via local system

Version(s): 6.0
Description:   A temporary file vulnerability was reported in NetWorker. A local user may be able to gain elevated privileges on the target system.

l0om reported that the 'nsr_shutdown' script uses temporary files in an unsafe manner. A local user can create a symbolic link from a critical file on the system to a likely temporary filename. Then, when the script is executed, the symlinked file will be modified or overwritten with the root privileges.

Impact:   A local user may be able to obtain root privileges on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  Networker 6.0 - possible symlink attack

product: networker 6.0
date: 19.01.2003
author: l0om  <>

possible symlink attack in shutdown scribt

the networker is a backup and storeage system from fujitsu siemens.

the shutdown (nsr_shutdown) scribt from networker version 6.0 contains a 
the following:

        rm -f /tmp/nsrsh$$
        echo '. type: nsr group' > /tmp/nsrsh$$  # <----------------
        echo 'update work list:; completion:' >> /tmp/nsrsh$$
        nsradmin ${RESFILE} -i - < /tmp/nsrsh$$ > /dev/null 2>&1
        rm -f /tmp/nsrsh$$

as we all know the "$$" is no protection against symlink attacks
a user could creat a symbolic link from /tmp/nsrsh(guessed pid) 
to somewhere in the system and could create or overwrite any file
on the system because it must be executed with root priv.

a better handling would be something like:

echo '. type: nsr group' > $TMPFILE
        echo 'update work list:; completion:' >> $TMPFILE
        nsradmin ${RESFILE} -i - < $TMPFILE > /dev/null 2>&1
        rm -f $TMPFILE

or "mktemp /tmp/phun.XXXXXX"

- have phun
 - l0om 


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC