daemon@ATHENA.MIT.EDU (Imran Ghory)
Mon Apr 11 13:13:21 2005
Message-ID: <7389fc4b0504061515557cd462@mail.gmail.com>
Date: Wed, 6 Apr 2005 23:15:12 +0100
From: Imran Ghory <imranghory@gmail.com>
Reply-To: Imran Ghory <imranghory@gmail.com>
To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
================================
GNU Core Utilities race condition file-permissions vulnerability
================================
Software: mkdir, mknod, mkfifo
Version: Part of GNU Core Utilities 5.2.1
Software URL: <http://www.gnu.org/software/coreutils/>
Platform: Unix, Linux.
Vulnerability type: Race condition
Severity: Low, requires local attacker and badly set directory permissions.
Vulnerable software
====================
mkdir, mknod, mkfifo included in GNU Core Utilities 5.2.1.
Vulnerability
==============
If a malicious local user has write access to a directory in which a
target user is using mkdir/mknod/mkfifo with the -m (mode setting
option) to create a file then a race condition bug can be exploited to
make the change of permission apply to any file belonging to that
user.
The commands creates the directory/node/fifo before applying chmod()
to change their permission to that specified by the mode option.
Between these two activities there is a time gap, and these activies
are non-atomic.
During this time gap a malicious user can remove the created file and
replace it with a hard-link to another file belonging to the user.
mkdir/mknod/mkfifo will then change the permissions on the hard-linked
file.
Fix
====
Ensure that any directory in which mkdir/mknod/mkfifo are used are
only writeable by the user or alternatively set the sticky bit on the
directory's permissions
