Date: Wed, 6 Apr 2005 23:15:12 +0100
From: Imran Ghory <imranghory@...il.com>
To: bugtraq@...urityfocus.com
Subject: ================================ GNU Core Utilities race condition file-permissions vulnerability ================================ Software: mkdir, mknod, mkfifo Version: Part of GNU Core Utilities 5.2.1 Software URL: <http://www.gnu.org/software/cor


================================
GNU Core Utilities race condition file-permissions vulnerability 
================================

Software: mkdir, mknod, mkfifo
Version: Part of GNU Core Utilities 5.2.1
Software URL: <http://www.gnu.org/software/coreutils/>
Platform:  Unix, Linux.
Vulnerability type: Race condition
Severity: Low, requires local attacker and badly set directory permissions.


Vulnerable software
====================

mkdir, mknod, mkfifo included in GNU Core Utilities 5.2.1.

Vulnerability
============== 

If a malicious local user has write access to a directory in which a
target user is using mkdir/mknod/mkfifo with the -m (mode setting
option) to create a file then a race condition bug can be exploited to
make the change of permission apply to any file belonging to that
user.

The commands creates the directory/node/fifo before applying chmod()
to change their permission to that specified by the mode option.
Between these two activities there is a time gap, and these activies
are non-atomic.

During this time gap a malicious user can remove the created file and
replace it with a hard-link to another file belonging to the user.
mkdir/mknod/mkfifo will then change the permissions on the hard-linked
file.

Fix
====

Ensure that any directory in which mkdir/mknod/mkfifo are used are
only writeable by the user or alternatively set the sticky bit on the
directory's permissions

Powered by blists - more mailing lists