|
Bugtraq
mailing list archives
Symlink attack with apmd of RH 7.2
From: Enrico Scholz <enrico.scholz () informatik tu-chemnitz de>
Date: 04 Dec 2001 03:33:56 +0100
(Un)Affected Systems:
---------------------
- Red Hat 7.2 "Enigma" with installed apmd-3.0final-34 package
- previous Red Hat distributions are not affected
- because vulnerability was introduced by a script being not in the
official apmd package, most other GNU/Linux distributions are not
affected
Description:
------------
/etc/sysconfig/apm-scripts/apmscript executes the line
| touch /tmp/LOW_POWER
when
- the APM system signals a low-battery state and
- if $LOWPOWER_SERVICES is not empty (it defaults to "atd crond")
Because the apmscript is executed as the superuser, some kinds of symlink
attacks are possible.
Severity:
---------
Vulnerability is exploitable on a small amount of systems because the
APM low-battery state is signaled on laptops or special machines only.
Because the content of the touch'ed file will not be modified it seems
to be hard to gain additional privileges. But DoS attacks are possible.
Altogether, the vulnerability seems to have a low severity.
Proof of concept:
-----------------
[otheruser () bar]$ ssh foo
[otheruser () foo]$ exit
[joeuser () foo]$ ln -s /etc/nologin /tmp/LOW_POWER
...[provoke low-battery state; e.g. cut powerline and wait some time] ...
[otheruser () bar]$ ssh foo
Connection to foo closed.
[otheruser () bar]$
Vendor status:
--------------
Red Hat has been informed[1] on 2001-11-16, but has not reacted yet.
Regards,
Enrico
Footnotes:
[1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=56389
 By Date 
By Thread
Current thread:
- Symlink attack with apmd of RH 7.2 Enrico Scholz (Dec 03)
|
Intro
