SuSE YaST 'online_update' Temporary File Symlink Flaw Lets Local Users Gain Elevated Privileges
|
SecurityTracker Alert ID: 1009668 |
SecurityTracker URL: http://securitytracker.com/id/1009668
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 5 2004
|
Impact:
Modification of system information, Modification of user information, User access via local system
|
Exploit Included: Yes
|
|
Description:
A temporary file vulnerability was reported in the SuSE YaST Online Update feature. A local user may be able to obtain elevated privileges.
l0om from excluded.org reported that when the 'online_update' function is invoked, the software will create the following files in the '/usr/tmp/you-$USER' directory: 'cookies', 'quickcheack', and 'youservers'. A local user can create a symbolic link (symlink) from a critical file on the system to the directory or one of the files in the directory. Then, when YaST is updated, the symlinked file will be overwritten.
|
Impact:
A local user may be able to gain the privileges of the YaST process (or the user running YaST).
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.suse.de/ (Links to External Site)
|
Cause:
Access control error, State error
|
Underlying OS: Linux (SuSE)
|
Underlying OS Comments: SuSE 9.0
|
|
Message History:
None.
|
Source Message Contents
|
Subject: SuSEs YaST Online Update - possible symlink attack
|
author:l0om - l0om[at]excluded.org - www.excluded.org
date:05.04.2004
product:SuSE 9.0 maybe lower
possible symlink attack in SuSEs YOU [YaST Online
Update]
in SuSE linux you can use YOU to auto update your
system.
you can do this by YaST or by hand with the command
"online_update".
as a normal user you can check for updates with the
options "-q" or "-k".
By doing this "online_update" will do the follwing:
creats a directory in /usr/tmp/you-$USER
in this direcoty it will creat the files "cookies",
"quickcheack" and "youservers" (furthermore
it creats some directorys- nevermind...).
it doesnt check for a allready existing directory
called "you-$USER" or for files like "cookies"
which may be there.
an attacker could create a directory like "/usr/tmp/
you-asdf" and put a link
there named "cookies" which points to a file in /
home/asdf he likes to overwrite.
then he should set the directory permissions on 777
otherwise the binary will fail to create files
in /usr/tmp/asdf.
now he have to get the user asdf to execute the "/
usr/bin/online_update" binary (maybe by mail or
write) and the file will be overwritten.
bye and have a lot of phun
l0om
|
|