[UNIX] APMd Vulnerable to Symlink Attack (RedHat)

From: support@securiteam.com
Date: 12/15/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 15 Dec 2001 10:12:45 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  APMd Vulnerable to Symlink Attack (RedHat)
------------------------------------------------------------------------

SUMMARY

Advanced Power Management daemon as it comes with some versions of RedHat
contains a symlink vulnerability that allows a local user to overwrite and
create files with root privileges.

DETAILS

Vulnerable systems:
 * RedHat 7.1 and prior

Immune systems:
 * RedHat 7.2 "Enigma" with installed apmd-3.0final-34
 * Most other GNU/Linux distributions are not affected (Due to a custom
made script used by Red Hat)

The /etc/sysconfig/apm-scripts/apmscript executes the line

| touch /tmp/LOW_POWER

When
 - The APM system signals a low-battery state and
 - If $LOWPOWER_SERVICES is not empty (it defaults to "atd crond")

Because the apmscript is executed as the superuser, some kinds of symlink
attacks are possible.

Severity:
The vulnerability is exploitable on a small amount of systems because the
APM low-battery state is signaled on laptops or special machines only.

Because the content of the touched file will not be modified it seems to
be hard to gain additional privileges. However, DoS attacks are possible.

Altogether, the vulnerability seems to have a low severity.

Proof of concept:
$ ssh foo
$ exit

$ ln -s /etc/nologin /tmp/LOW_POWER
 ...[provoke low-battery state; e.g. cut powerline and wait some time] ...

$ ssh foo
Connection to foo closed.
$

Vendor status:
Red Hat has been informed on 2001-11-16, but has not yet responded.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:enrico.scholz@informatik.tu-chemnitz.de> Enrico Scholz.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.