[26423] in bugtraq
Re: RAZOR advisory: Linux util-linux chfn local root vulnerability
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Tue Jul 30 17:53:27 2002
Date: Tue, 30 Jul 2002 09:59:36 -0400 (EDT)
From: Michal Zalewski <lcamtuf@bos.bindview.com>
To: Andrew Pimlott <andrew@pimlott.net>
Cc: bugtraq@securityfocus.com
In-Reply-To: <20020730053536.GF1593@pimlott.net>
Message-ID: <Pine.LNX.4.42.0207300952550.4453-100000@nimue.bos.bindview.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 30 Jul 2002, Andrew Pimlott wrote:
> If he is smart, he will check whether the file is open (eg with fuser)
> before removing it. So your attack does require an administrator
> mistake.
Not really. The file does not have to be open to be present in the system.
It is prefectly possible to leave a dangling root-owned file several
times, so that the administrator can do very little to determine where it
came from. The attack itself requires the file to be open, but it can
happen long after the administor started removing this file routinely.
> However! There appears to be an attack that does not require any
> administrator action.
Appears to be true, good point.
--
_____________________________________________________
Michal Zalewski [lcamtuf@bos.bindview.com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
http://lcamtuf.coredump.cx/photo/
