Re: RAZOR advisory: Linux util-linux chfn local root vulnerability
From: Andrew Pimlott (andrew@pimlott.net)Date: 07/30/02
- Previous message: bugzilla@redhat.com: "[RHSA-2002:155-11] Updated openssl packages fix remote vulnerabilities"
- In reply to: Michal Zalewski: "Re: RAZOR advisory: Linux util-linux chfn local root vulnerability"
- Next in thread: Andreas Beck: "Re: RAZOR advisory: Linux util-linux chfn local root vulnerability"
- Next in thread: Szemkel: "Re: RAZOR advisory: Linux util-linux chfn local root vulnerability"
- Reply: Andreas Beck: "Re: RAZOR advisory: Linux util-linux chfn local root vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Jul 2002 10:48:31 -0400 To: Michal Zalewski <lcamtuf@bos.bindview.com> From: Andrew Pimlott <andrew@pimlott.net>
On Tue, Jul 30, 2002 at 09:59:36AM -0400, Michal Zalewski wrote:
> On Tue, 30 Jul 2002, Andrew Pimlott wrote:
>
> > If he is smart, he will check whether the file is open (eg with fuser)
> > before removing it. So your attack does require an administrator
> > mistake.
>
> Not really. The file does not have to be open to be present in the system.
> It is prefectly possible to leave a dangling root-owned file several
> times, so that the administrator can do very little to determine where it
> came from.
Correct, but: the admin should still verify that it is not open
before deleting it (in his cron job). IOW, when the file is present
but not open, the admin has no way to trace it, but at least
removing it is harmless. When the file is present and open, the
clever admin will not only foil your exploit (by not removing the
file), but find the culprit (via fuser).
Maybe this is assuming too much prescience from the admin, but I
don't think so. After all, an open /etc/ptmp could well be involved
in a legitimate chfn, and the admin wouldn't want to disrupt that.
Andrew
- Previous message: bugzilla@redhat.com: "[RHSA-2002:155-11] Updated openssl packages fix remote vulnerabilities"
- In reply to: Michal Zalewski: "Re: RAZOR advisory: Linux util-linux chfn local root vulnerability"
- Next in thread: Andreas Beck: "Re: RAZOR advisory: Linux util-linux chfn local root vulnerability"
- Next in thread: Szemkel: "Re: RAZOR advisory: Linux util-linux chfn local root vulnerability"
- Reply: Andreas Beck: "Re: RAZOR advisory: Linux util-linux chfn local root vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
