[29087] in bugtraq
Re: Mandrake 9.0 local root exploit
daemon@ATHENA.MIT.EDU (KF)
Fri Feb 28 11:12:22 2003
Message-ID: <3E5EB6D8.6050209@snosoft.com>
Date: Thu, 27 Feb 2003 20:09:44 -0500
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
In-Reply-To: <20030227214304.9023.qmail@www.securityfocus.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
A portion of this exploit scenario has already been disclosed in the
past. The tmp file issues in ml85p can be located at
http://www.securityfocus.com/bid/3008
Mandrake has released an advisory (MDKSA-2003:010) which contains fixes:
The information contained below is the snippet from the iDEFENSE
advisory http://www.idefense.com/advisory/01.21.03.txt. This condition
has also already been exploited by SNOSoft with the help of Charles
Stevenson:
VULNERABILITY THREE: The ml85p binary, installed set user id root,
contains a race condition in its opening of temporary files. Successful
exploitation provides an attacker with the ability to create or empty a
file with super user privileges. The following snippet contains the
offending segment of code:
sprintf(gname,"/tmp/mlg85p%d",time(0));
if (!(cbmf = fopen(gname,"w+"))) {
-KF
