Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RAZOR advisory: Linux util-linux chfn local root vulnerability

From: Michal Zalewski <lcamtuf () bos bindview com>
Date: Tue, 30 Jul 2002 09:59:36 -0400 (EDT)
On Tue, 30 Jul 2002, Andrew Pimlott wrote:


If he is smart, he will check whether the file is open (eg with fuser)
before removing it.  So your attack does require an administrator
mistake.


Not really. The file does not have to be open to be present in the system.
It is prefectly possible to leave a dangling root-owned file several
times, so that the administrator can do very little to determine where it
came from. The attack itself requires the file to be open, but it can
happen long after the administor started removing this file routinely.


However!  There appears to be an attack that does not require any
administrator action.


Appears to be true, good point.

-- 
_____________________________________________________
Michal Zalewski [lcamtuf () bos bindview com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/
Previous By Date Next
Previous By Thread Next

Current thread: