================================
GNU Core Utilities race condition file-permissions vulnerability
================================
Software: mkdir, mknod, mkfifo
Version: Part of GNU Core Utilities 5.2.1
Software URL: <http://www.gnu.org/software/coreutils/>
Platform: Unix, Linux.
Vulnerability type: Race condition
Severity: Low, requires local attacker and badly set directory permissions.
Vulnerable software
====================
mkdir, mknod, mkfifo included in GNU Core Utilities 5.2.1.
Vulnerability
==============
If a malicious local user has write access to a directory in which a
target user is using mkdir/mknod/mkfifo with the -m (mode setting
option) to create a file then a race condition bug can be exploited to
make the change of permission apply to any file belonging to that
user.
The commands creates the directory/node/fifo before applying chmod()
to change their permission to that specified by the mode option.
Between these two activities there is a time gap, and these activies
are non-atomic.
During this time gap a malicious user can remove the created file and
replace it with a hard-link to another file belonging to the user.
mkdir/mknod/mkfifo will then change the permissions on the hard-linked
file.
Fix
====
Ensure that any directory in which mkdir/mknod/mkfifo are used are
only writeable by the user or alternatively set the sticky bit on the
directory's permissions
Received on Apr 11 2005
Intro
