SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Fileutils (GNU) Vendors:   [Multiple Authors/Vendors]
(Sun Issues Fix) GNU Fileutils Package Race Condition May Allow Local Users to Cause a Root User to Remove the Entire Filesystem
SecurityTracker Alert ID:  1017618
SecurityTracker URL:  http://securitytracker.com/id/1017618
CVE Reference:   CVE-2002-0435   (Links to External Site)
Date:  Feb 9 2007
Impact:   Denial of service via local system, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1 stable and 4.1.6 development version
Description:   A race condition vulnerability was reported in the GNU Fileutils package. A local user may be able to cause the entire filesystem to be removed by a root level user when the root user attempts to remove another directory (under certain conditions).

It is reported that a race condition exists in several components of the GNU fileutils package that may allow a local user to cause the root user to delete the entire filesystem.

According to the report, an insecure chdir("..") syscall is performed after removing the content of a subdirectory in order to get back to the upper directory during recursive removal of directory tree.

Condsider the following example of 'rm -fr /tmp/a' removing '/tmp/a/b/c' directory tree:

(strace output simplified for better readability)

chdir("/tmp/a") = 0
chdir("b") = 0
chdir("c") = 0
chdir("..") = 0
rmdir("c") = 0
chdir("..") = 0
rmdir("b") = 0
fchdir(3) = 0
rmdir("/tmp/a") = 0

In the above example, the race condition occurs after the current directory is changed to /tmp/a/b/c. If a local user then moves the /tmp/a/b/c directory to the /tmp/c directory, the two subsequent chdir("..") syscalls will apparently change to the root directory / and then rm will start removing files from the entire file system (if the calling user has sufficient privileges).

Impact:   A local user may be able to cause the entire filesystem to be removed by a root level user when the root user attempts to remove another directory (under certain conditions).
Solution:   Sun has issued the following fixes.

SPARC Platform

* Solaris 8 with patch 124969-01 or later
* Solaris 9 with patch 123372-02 or later
* Solaris 10 with patch 124244-01 or later

x86 Platform

* Solaris 8 with patch 124970-01 or later
* Solaris 9 with patch 123373-02 or later
* Solaris 10 with patch 124245-01 or later

The Sun advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102782-1

Vendor URL:  www.gnu.org/software/fileutils/fileutils.html (Links to External Site)
Cause:   State error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  8, 9, 10

Message History:   This archive entry is a follow-up to the message listed below.
Mar 12 2002 GNU Fileutils Package Race Condition May Allow Local Users to Cause a Root User to Remove the Entire Filesystem



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC