Re: Mandrake 9.0 local root exploit

[KF <dotslash () snosoft com>]

A portion of this exploit scenario has already been disclosed in the 
past. The tmp file issues in ml85p can be located at 
http://www.securityfocus.com/bid/3008

Mandrake has released an advisory (MDKSA-2003:010) which contains fixes:

The information contained below is the snippet from the iDEFENSE 
advisory http://www.idefense.com/advisory/01.21.03.txt. This condition 
has also already been exploited by SNOSoft with the help of Charles 
Stevenson:

 VULNERABILITY THREE: The ml85p binary, installed set user id root,
 contains a race condition in its opening of temporary files. Successful
 exploitation provides an attacker with the ability to create or empty a
 file with super user privileges. The following snippet contains the
 offending segment of code:

 sprintf(gname,"/tmp/mlg85p%d",time(0));
      if (!(cbmf = fopen(gname,"w+"))) {

-KF