Bugtraq mailing list archives
Re: Red Hat 9: free tickets
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 2 Jul 2003 23:14:36 +0200 (CEST)
On Wed, 2 Jul 2003, Carlos Villegas wrote:
This way of attack seems useless to me. This is also used on RH 8.0 systems, and for both 8.0 and 9 systems: drwx------ 4 root root 4096 Jun 27 08:43 /var/run/sudo Which means that if the packages are properly built (and will make sure that this directory gets this permissions if it existed before the rpm is installed), this attack will gain you nothing, since you need to be root to exploit it.
You have missed a point. Please look at any vulnerability archives on the net, there is one to several insecure file creation reports every week in applications that either are run as root, or are invoked from boot scripts, or from cron jobs. In most of those cases, it is possible to create a dangling symlink and then exploit this problem to create a file in a location the attacker have chosen, with permissions of the victim (root). Those vulnerabilities are generally considered a lesser threat, as there seemed to be no practical method to easily gain root privileges just by creating a file when no control over its contents can be exercised (again, most cases). There is less interest in finding and fixing those problems, and administrators are not that quick about addressing them. Thanks to pam_timestamp_check[.so] and the way it is used in Red Hat, it is now possible to gain root in a generic way in those scenarios. That's all. I could post it along with results of a quick grep and a bunch of programs that do create files this way, but I believe it would only confuse the reader. I think it's pam_timestamp_check that should be fixed, because it makes it needlessly trivial to exploit this vector. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-07-02 23:06 --
Current thread:
- Red Hat 9: free tickets Michal Zalewski (Jul 02)
- Re: Red Hat 9: free tickets Carlos Villegas (Jul 02)
- Re: Red Hat 9: free tickets Michal Zalewski (Jul 02)
- Re: Red Hat 9: free tickets Carlos Villegas (Jul 02)