Redhat

v13 at priest.com v13 at priest.com
Tue Dec 4 19:25:01 EET 2001


 Den thelo na (ksana)arxiso flame war, alla pos mporeis na empisteyteis
OS, to opoio kanei tetoia lathi ??? Einai dynaton na theoreitai sobaro, 
kapoio poy paei kai dimioyrgei arxeia sto /tmp san root "by default", xoris 
kanena apolytos logo ? (akoma kai to /var/tmp tha itan kalyteri lysi apo to 
/tmp) (even better to tmpfs, to opoio den to xrisimopoiei kai polys kosmos, 
kanei thaymata...)

 Einai 'eksofrenika' blakodes ayto to lathos gia na ginetai apo OSes poy 
theloyn na theoroyntai OK. (min pei tipota kaneis gia solaris) To na yparxei 
problima, eksetias kapoioy programmatos, to opoio dinetai mazi me to OS, 
trogetai... alla ayto nomizo parapaei...

 Kai opos leei kai to mail.. emfanistike sto 7.2... Diladi, parolo to oti 
tetoia lathi einai polysizitimena kai gnosta, ginontai akoma kai tora.. 

<<V13>>

----------  Forwarded Message  ----------

Subject: Symlink attack with apmd of RH 7.2
Date: 04 Dec 2001 03:33:56 +0100
From: Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de>
To: bugtraq at securityfocus.com

(Un)Affected Systems:
---------------------

  - Red Hat 7.2 "Enigma" with installed apmd-3.0final-34 package

  - previous Red Hat distributions are not affected
  - because vulnerability was introduced by a script being not in the
    official apmd package, most other GNU/Linux distributions are not
    affected


Description:
------------

/etc/sysconfig/apm-scripts/apmscript executes the line

|    touch /tmp/LOW_POWER

when
- the APM system signals a low-battery state and
- if $LOWPOWER_SERVICES is not empty (it defaults to "atd crond")

Because the apmscript is executed as the superuser, some kinds of symlink
attacks are possible.


Severity:
---------

Vulnerability is exploitable on a small amount of systems because the
APM low-battery state is signaled on laptops or special machines only.

Because the content of the touch'ed file will not be modified it seems
to be hard to gain additional privileges. But DoS attacks are possible.

Altogether, the vulnerability seems to have a low severity.


Proof of concept:
-----------------

[otheruser at bar]$ ssh foo
[otheruser at foo]$ exit

[joeuser at foo]$ ln -s /etc/nologin /tmp/LOW_POWER
 ...[provoke low-battery state; e.g. cut powerline and wait some time] ...

[otheruser at bar]$ ssh foo
Connection to foo closed.
[otheruser at bar]$


Vendor status:
--------------

Red Hat has been informed[1] on 2001-11-16, but has not reacted yet.




Regards,

Enrico

Footnotes: 
[1]  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=56389



-------------------------------------------------------



More information about the Linux-greek-users mailing list