Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RAZOR advisory: Linux util-linux chfn local root vulnerability

From: Andrew Pimlott <andrew () pimlott net>
Date: Tue, 30 Jul 2002 10:48:31 -0400
On Tue, Jul 30, 2002 at 09:59:36AM -0400, Michal Zalewski wrote:

On Tue, 30 Jul 2002, Andrew Pimlott wrote:


If he is smart, he will check whether the file is open (eg with fuser)
before removing it.  So your attack does require an administrator
mistake.


Not really. The file does not have to be open to be present in the system.
It is prefectly possible to leave a dangling root-owned file several
times, so that the administrator can do very little to determine where it
came from.


Correct, but: the admin should still verify that it is not open
before deleting it (in his cron job).  IOW, when the file is present
but not open, the admin has no way to trace it, but at least
removing it is harmless.  When the file is present and open, the
clever admin will not only foil your exploit (by not removing the
file), but find the culprit (via fuser).

Maybe this is assuming too much prescience from the admin, but I
don't think so.  After all, an open /etc/ptmp could well be involved
in a legitimate chfn, and the admin wouldn't want to disrupt that.

Andrew
Previous By Date Next
Previous By Thread Next

Current thread: