Bugtraq mailing list archives
Re: RAZOR advisory: Linux util-linux chfn local root vulnerability
From: Andrew Pimlott <andrew () pimlott net>
Date: Tue, 30 Jul 2002 10:48:31 -0400
On Tue, Jul 30, 2002 at 09:59:36AM -0400, Michal Zalewski wrote:
On Tue, 30 Jul 2002, Andrew Pimlott wrote:If he is smart, he will check whether the file is open (eg with fuser) before removing it. So your attack does require an administrator mistake.Not really. The file does not have to be open to be present in the system. It is prefectly possible to leave a dangling root-owned file several times, so that the administrator can do very little to determine where it came from.
Correct, but: the admin should still verify that it is not open before deleting it (in his cron job). IOW, when the file is present but not open, the admin has no way to trace it, but at least removing it is harmless. When the file is present and open, the clever admin will not only foil your exploit (by not removing the file), but find the culprit (via fuser). Maybe this is assuming too much prescience from the admin, but I don't think so. After all, an open /etc/ptmp could well be involved in a legitimate chfn, and the admin wouldn't want to disrupt that. Andrew
Current thread:
- RAZOR advisory: Linux util-linux chfn local root vulnerability Michal Zalewski (Jul 29)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Andrew Pimlott (Jul 30)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Michal Zalewski (Jul 30)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Andrew Pimlott (Jul 30)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Andreas Beck (Jul 31)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Michal Zalewski (Jul 30)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Andrew Pimlott (Jul 30)
- Re: RAZOR advisory: Linux util-linux chfn local root vulnerability Szemkel (Jul 30)