SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SuSE Scripts (various) Vendors:   SuSE
Several SuSE Scripts Use Unsafe Temporary Files and May Allow Local Users to Gain Elevated Privileges
SecurityTracker Alert ID:  1008781
SecurityTracker URL:  http://securitytracker.com/id/1008781
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 20 2004
Impact:   Modification of system information, Modification of user information, Root access via local system, User access via local system


Description:   Vulnerabilities were reported in several scripts shipped with SuSE Linux. A local user may be able to gain elevated privileges.

l0om reported that the following SuSE Linux 9.0 scripts use temporary files in an unsafe manner:

/usr/X11R6/bin/fvwm-bug
/usr/X11R6/bin/wm-oldmenu2new
/usr/X11R6/bin/x11perfcomp
/usr/X11R6/bin/xf86debug
/opt/kde3/bin/winpopup-send.sh
/sbin/lvmcreate_initrd

A local user may be able to create a symbolic link from a critical file on the system to one of the potential temporary files. Then, when the affected script is executed, the symlinked file may be modified or overwritten by the script.

The specific impact depends on how the script is called and the privileges of the calling function.

Impact:   A local user may be able to cause arbitrary files to be modified or overwritten with the privileges of another user or process.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.suse.de/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (SuSE)
Underlying OS Comments:  9.0

Message History:   None.


 Source Message Contents

Subject:  [SuSE 9.0] possible symlink attacks in some scripts




Product: some scripts shipped with suse 9.0 
Date: 20.01.2004 
Author: l0om <l0om@excluded.org> 
 
greetings, 
i have done a litte reseach on a SuSE linux 9.0 box 
for possible symlink attacks. i have checked nearly 
every script i could found on the system. i havent 
found much and nothing very special.i dont have a 
clue if the following scripts are somewhere on the 
system executed but maybe someone useses them in a 
script or something like that. 
 
 
** 
/usr/X11R6/bin/fvwm-bug 
[...] 
TEMP=/tmp/fvwm-bug.$$ 
[...] 
cat > $TEMP <<EOF 
[...] 
 
** 
/usr/X11R6/bin/wm-oldmenu2new 
[...] 
T=/tmp/wmmenu$$ 
[...] 
cp $OLD_MENU $T-c 
[...] 
 
** 
/usr/X11R6/bin/x11perfcomp 
[...] 
tmp=${TMPDIR-/tmp}/rates.$$ 
mkdir $tmp || exit 1 
[...] 
mkdir $tmp/rates 
[...] 
-l)     cp $2 $tmp/labels 
[...] 
rm -rf $tmp 
[...] 
 
** 
/usr/X11R6/bin/xf86debug 
[...] 
gdb << EOF &> /tmp/xf86debug.1.log 
echo "Debugger output written to /tmp/
xf86debug.1.log." #thx for that info 
[...] 
 
** 
/opt/kde3/bin/winpopup-send.sh 
echo "$2" > /tmp/.winpopup-new 
echo `date +"%a %l:%m %p"` >> /tmp/.winpopup-new 
cat "$1" | tr "\000" "\012" >> /tmp/.winpopup-new 
mv -f /tmp/.winpopup-new /tmp/.winpopup 
 
** 
/sbin/lvmcreate_initrd 
[...] 
DEVRAM=/tmp/initrd.$$ 
[...] 
verbose "using $DEVRAM as a temporary loopback file" 
#thx for that info 
dd if=/dev/zero of=$DEVRAM count=$INITRDSIZE bs=1024 
> /dev/null 2>&1 
[...] 
 
**********  greets @ proxy, takt, maximilian, sirius, 
dna, fe2k, xnet, zexl 
		     	   rest of excluded.org 
		     nofx, rancid, bad religion, less 
than jake ... 
			www.excluded.org  --l0om 
		     		have Phun! 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC