Re: Red Hat 9: free tickets

[Michal Zalewski <lcamtuf () coredump cx>]

On Wed, 2 Jul 2003, Carlos Villegas wrote:

> This way of attack seems useless to me. This is also used on RH 8.0
> systems, and for both 8.0 and 9 systems:
>
> drwx------    4 root     root         4096 Jun 27 08:43 /var/run/sudo
>
> Which means that if the packages are properly built (and will make sure
> that this directory gets this permissions if it existed before the
> rpm is installed), this attack will gain you nothing, since you need
> to be root to exploit it.

You have missed a point.

Please look at any vulnerability archives on the net, there is one to
several insecure file creation reports every week in applications that
either are run as root, or are invoked from boot scripts, or from cron
jobs. In most of those cases, it is possible to create a dangling symlink
and then exploit this problem to create a file in a location the attacker
have chosen, with permissions of the victim (root).

Those vulnerabilities are generally considered a lesser threat, as there
seemed to be no practical method to easily gain root privileges just by
creating a file when no control over its contents can be exercised (again,
most cases). There is less interest in finding and fixing those problems,
and administrators are not that quick about addressing them.

Thanks to pam_timestamp_check[.so] and the way it is used in Red Hat, it
is now possible to gain root in a generic way in those scenarios.

That's all. I could post it along with results of a quick grep and a bunch
of programs that do create files this way, but I believe it would only
confuse the reader. I think it's pam_timestamp_check that should be fixed,
because it makes it needlessly trivial to exploit this vector.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-07-02 23:06 --