================================ GNU Core Utilities race condition file-permissions vulnerability ================================ Software: mkdir, mknod, mkfifo Version: Part of GNU Core Utilities 5.2.1 Software URL: <http://www.gnu.org/software/cor

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ================================ GNU Core Utilities race condition file-permissions vulnerability ================================ Software: mkdir, mknod, mkfifo Version: Part of GNU Core Utilities 5.2.1 Software URL: <http://www.gnu.org/software/cor
From: Imran Ghory <imranghory@xxxxxxxxx>
Date: Wed, 6 Apr 2005 23:15:12 +0100
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=IojKLrED1GvqVp57PzUSPaZpK3+VH3EjZ7sKIPDYftZdQc6CLsXc+tdeq2atnE/0WXNqfJ7obUGHcVZ3A0AMHmWmn7dc1RkcrRosFG9RSUOQpgUUrJfsagdotI1mfyQSQ8E4FsRnsQLrrHlZgyZeqgPrN+ICHiAr97iN692Usn0=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: Imran Ghory <imranghory@xxxxxxxxx>

================================
GNU Core Utilities race condition file-permissions vulnerability 
================================

Software: mkdir, mknod, mkfifo
Version: Part of GNU Core Utilities 5.2.1
Software URL: <http://www.gnu.org/software/coreutils/>
Platform:  Unix, Linux.
Vulnerability type: Race condition
Severity: Low, requires local attacker and badly set directory permissions.


Vulnerable software
====================

mkdir, mknod, mkfifo included in GNU Core Utilities 5.2.1.

Vulnerability
============== 

If a malicious local user has write access to a directory in which a
target user is using mkdir/mknod/mkfifo with the -m (mode setting
option) to create a file then a race condition bug can be exploited to
make the change of permission apply to any file belonging to that
user.

The commands creates the directory/node/fifo before applying chmod()
to change their permission to that specified by the mode option.
Between these two activities there is a time gap, and these activies
are non-atomic.

During this time gap a malicious user can remove the created file and
replace it with a hard-link to another file belonging to the user.
mkdir/mknod/mkfifo will then change the permissions on the hard-linked
file.

Fix
====

Ensure that any directory in which mkdir/mknod/mkfifo are used are
only writeable by the user or alternatively set the sticky bit on the
directory's permissions

Follow-Ups:
- Re: ================================ GNU Core Utilities race condition file-permissions vulnerability ================================ Software: mkdir, mknod, mkfifo Version: Part of GNU Core Utilities 5.
  - From: Pavel Kankovsky

Prev by Date: Miranda IM and Miranda Installer Let Local Users Execute Arbitrary Code
Next by Date: iDEFENSE Security Advisory 04.11.05: Computer Associates BrightStor ARCserve Backup UniversalAgent Buffer Overflow
Previous by thread: RE: Miranda IM and Miranda Installer Let Local Users Execute Arbitrary Code
Next by thread: Re: ================================ GNU Core Utilities race condition file-permissions vulnerability ================================ Software: mkdir, mknod, mkfifo Version: Part of GNU Core Utilities 5.
Index(es):
- Date
- Thread