SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   YaST Vendors:   SuSE
SuSE YaST 'online_update' Temporary File Symlink Flaw Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1009668
SecurityTracker URL:  http://securitytracker.com/id/1009668
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 5 2004
Impact:   Modification of system information, Modification of user information, User access via local system
Exploit Included:  Yes  

Description:   A temporary file vulnerability was reported in the SuSE YaST Online Update feature. A local user may be able to obtain elevated privileges.

l0om from excluded.org reported that when the 'online_update' function is invoked, the software will create the following files in the '/usr/tmp/you-$USER' directory: 'cookies', 'quickcheack', and 'youservers'. A local user can create a symbolic link (symlink) from a critical file on the system to the directory or one of the files in the directory. Then, when YaST is updated, the symlinked file will be overwritten.
Impact:   A local user may be able to gain the privileges of the YaST process (or the user running YaST).
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.suse.de/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (SuSE)
Underlying OS Comments:  SuSE 9.0

Message History:   None.

 Source Message Contents
Subject:  SuSEs YaST Online Update - possible symlink attack




author:l0om - l0om[at]excluded.org - www.excluded.org 
date:05.04.2004 
product:SuSE 9.0 maybe lower 
 
possible symlink attack in SuSEs YOU [YaST Online 
Update] 
 
in SuSE linux you can use YOU to auto update your 
system. 
you can do this by YaST or by hand with the command 
"online_update". 
as a normal user you can check for updates with the 
options "-q" or "-k". 
By doing this "online_update" will do the follwing: 
creats a directory in /usr/tmp/you-$USER 
in this direcoty it will creat the files "cookies", 
"quickcheack" and "youservers" (furthermore 
it creats some directorys- nevermind...). 
it doesnt check for a allready existing directory 
called "you-$USER" or for files like "cookies" 
which may be there. 
 
an attacker could create a directory like "/usr/tmp/
you-asdf" and put a link 
there named "cookies" which points to a file in /
home/asdf he likes to overwrite. 
then he should set the directory permissions on 777 
otherwise the binary will fail to create files 
in /usr/tmp/asdf. 
now he have to get the user asdf to execute the "/
usr/bin/online_update" binary (maybe by mail or 
write) and the file will be overwritten. 
 
bye and have a lot of phun 
	l0om


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC