Bugtraq mailing list archives
Re: Mandrake 9.0 local root exploit
From: KF <dotslash () snosoft com>
Date: Thu, 27 Feb 2003 20:09:44 -0500
A portion of this exploit scenario has already been disclosed in the past. The tmp file issues in ml85p can be located at http://www.securityfocus.com/bid/3008
Mandrake has released an advisory (MDKSA-2003:010) which contains fixes:The information contained below is the snippet from the iDEFENSE advisory http://www.idefense.com/advisory/01.21.03.txt. This condition has also already been exploited by SNOSoft with the help of Charles Stevenson:
VULNERABILITY THREE: The ml85p binary, installed set user id root, contains a race condition in its opening of temporary files. Successful exploitation provides an attacker with the ability to create or empty a file with super user privileges. The following snippet contains the offending segment of code: sprintf(gname,"/tmp/mlg85p%d",time(0)); if (!(cbmf = fopen(gname,"w+"))) { -KF
Current thread:
- Mandrake 9.0 local root exploit Priv8 Security (Feb 27)
- Re: Mandrake 9.0 local root exploit KF (Feb 28)
- Re: Mandrake 9.0 local root exploit Vincent Danen (Feb 28)