Symlink attack with apmd of RH 7.2

[Enrico Scholz <enrico.scholz () informatik tu-chemnitz de>]

(Un)Affected Systems:
---------------------

  - Red Hat 7.2 "Enigma" with installed apmd-3.0final-34 package

  - previous Red Hat distributions are not affected
  - because vulnerability was introduced by a script being not in the
    official apmd package, most other GNU/Linux distributions are not
    affected


Description:
------------

/etc/sysconfig/apm-scripts/apmscript executes the line

|    touch /tmp/LOW_POWER

when
- the APM system signals a low-battery state and
- if $LOWPOWER_SERVICES is not empty (it defaults to "atd crond")

Because the apmscript is executed as the superuser, some kinds of symlink
attacks are possible.


Severity:
---------

Vulnerability is exploitable on a small amount of systems because the
APM low-battery state is signaled on laptops or special machines only.

Because the content of the touch'ed file will not be modified it seems
to be hard to gain additional privileges. But DoS attacks are possible.

Altogether, the vulnerability seems to have a low severity.


Proof of concept:
-----------------

[otheruser@bar]$ ssh foo
[otheruser@foo]$ exit

[joeuser@foo]$ ln -s /etc/nologin /tmp/LOW_POWER
 ...[provoke low-battery state; e.g. cut powerline and wait some time] ...

[otheruser@bar]$ ssh foo
Connection to foo closed.
[otheruser@bar]$


Vendor status:
--------------

Red Hat has been informed[1] on 2001-11-16, but has not reacted yet.




Regards,

Enrico

Footnotes: 
[1]  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=56389