SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Bzip2 Vendors:   [Multiple Authors/Vendors]
bzip2 Race Condition Lets Local Users Modify Permissions of Certain Files
SecurityTracker Alert ID:  1013629
SecurityTracker URL:  http://securitytracker.com/id/1013629
CVE Reference:   CVE-2005-0953   (Links to External Site)
Updated:  Jun 30 2008
Original Entry Date:  Apr 2 2005
Impact:   Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 1.0.2 and prior versions
Description:   A file permission vulnerability was reported in bzip2. A local user can change the permissions of certain files on the target system.

A local user with write access to a directory that the target user is using bzip2 with to extract or compress a file can change the permissions on any file owned by the target user.

When extracting a file, the software applies the permissions of a compressed file to the uncompressed file. However, there is a time period between when the file handle for the uncompressed file is closed and the permissions are changed. A local user can exploit this race condition by replacing the decompressed file with a hardlink to another file on the target system during that time period. The hardlinked file's permissions will be changed to the permissions of the compressed bzip2 file.

Impact:   A local user can cause the permissions on files owned by the target user to be changed when the target user decompresses a file using bzip2.
Solution:   No vendor solution was available at the time of this entry.

As a workaround, the author of the report indicates that you can make sure that any directory that is being used by bzip2 to compress/decompress files is only writeable by the user or you can set the sticky bit on the directory's permissions.

Vendor URL:  sources.redhat.com/bzip2/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 17 2005 (Red Hat Issues Fix) bzip2 Race Condition Lets Local Users Modify Permissions of Certain Files
Red Hat has released a fix.
Jun 29 2005 (FreeBSD Issues Fix) bzip2 Race Condition Lets Local Users Modify Permissions of Certain Files
FreeBSD has released a fix.
Jun 30 2008 (Sun Issues Fix) bzip2 Race Condition Lets Local Users Modify Permissions of Certain Files
Sun has issued a fix for Solaris 8, 9, and 10.



 Source Message Contents

Subject:  bzip2 TOCTOU file-permissions vulnerability


================================
bzip2 TOCTOU file-permissions vulnerability 
================================

Software: bzip2
Version: 1.0.2
Software URL: <http://sources.redhat.com/bzip2/>
Platform:  Unix, Linux.
Vulnerability type: Time-of-Check-Time-Of-Use
Severity: Low, requires local attacker and badly set directory permissions.


Vulnerable software
====================

bzip2 1.0.2 and previous versions running on unix. 

bzip2 1.0.2 compiled for Windows using lcc or MS Visual C++  is not effected.

Vulnerability
============== 

If a malicious local user has write access to a directory in which a
target user is using bzip2 to extract or compress a file to then a
TOCTOU bug can be exploited to change the permission of any file
belonging to that user.

On decompressing bzip2 copies the permissions from the compressed
bzip2 file to the
uncompressed file. However there is a gap between the uncompressed
file being written (and it's file handler being close) and the
permissions of the file being changed.

During this gap a malicious user can remove the decompressed file and
replace it with a hard-link to another file belonging to the user.
bzip2 will then change the permissions on the  hard-linked file to be
the same as that of the bzip2 file.

Fix
====

Ensure that any directory which is being used by bzip2 to
compress/decompress files is only writeable by the user or
alternatively set the sticky bit on the directory's permissions

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC