SuSE YaST 'online_update' Temporary File Symlink Flaw Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1009668|
SecurityTracker URL: http://securitytracker.com/id/1009668
(Links to External Site)
Date: Apr 5 2004
Modification of system information, Modification of user information, User access via local system|
Exploit Included: Yes |
A temporary file vulnerability was reported in the SuSE YaST Online Update feature. A local user may be able to obtain elevated privileges.|
l0om from excluded.org reported that when the 'online_update' function is invoked, the software will create the following files in the '/usr/tmp/you-$USER' directory: 'cookies', 'quickcheack', and 'youservers'. A local user can create a symbolic link (symlink) from a critical file on the system to the directory or one of the files in the directory. Then, when YaST is updated, the symlinked file will be overwritten.
A local user may be able to gain the privileges of the YaST process (or the user running YaST).|
No solution was available at the time of this entry.|
Vendor URL: www.suse.de/ (Links to External Site)
Access control error, State error|
|Underlying OS: Linux (SuSE)|
|Underlying OS Comments: SuSE 9.0|
Source Message Contents
Subject: SuSEs YaST Online Update - possible symlink attack|
author:l0om - l0om[at]excluded.org - www.excluded.org
product:SuSE 9.0 maybe lower
possible symlink attack in SuSEs YOU [YaST Online
in SuSE linux you can use YOU to auto update your
you can do this by YaST or by hand with the command
as a normal user you can check for updates with the
options "-q" or "-k".
By doing this "online_update" will do the follwing:
creats a directory in /usr/tmp/you-$USER
in this direcoty it will creat the files "cookies",
"quickcheack" and "youservers" (furthermore
it creats some directorys- nevermind...).
it doesnt check for a allready existing directory
called "you-$USER" or for files like "cookies"
which may be there.
an attacker could create a directory like "/usr/tmp/
you-asdf" and put a link
there named "cookies" which points to a file in /
home/asdf he likes to overwrite.
then he should set the directory permissions on 777
otherwise the binary will fail to create files
now he have to get the user asdf to execute the "/
usr/bin/online_update" binary (maybe by mail or
write) and the file will be overwritten.
bye and have a lot of phun