Red Hat Enterprise Linux init.d XFS Script chown Race

English | Vietnamese

Rules

Main Forum

Portal

Member Listing

Statistics

Search

Reading Room
[Register]

Login [ | https ]

Forum Index

Thông tin new bugs và exploits

Red Hat Enterprise Linux init.d XFS Script chown Race

[Announcement] Red Hat Enterprise Linux init.d XFS Script chown Race	19/07/2007 20:03:01 (+0700) \| #1 \| 72249

conmale
Administrator

Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline

Red Hat Enterprise Linux init.d XFS Script chown Race Condition Vulnerability
------------------------------------------------------------------------

SUMMARY
XFS is the X Font Server, and is used to render fonts for the X Window System. "init.d" refers to the startup and shutdown scripts used by Linux platforms. At boot and shutdown time, these scripts are run by the init program to start and stop various system services.

Local exploitation of a race condition vulnerability in Red Hat Inc.'s Enterprise Linux init.d XFS script allows an attacker to elevate their privileges to root.

DETAILS
Vulnerable Systems:
* RedHat Enterprise Linux version 4
* Fedora Core 6
* (Other versions may also be affected)

The XFS script is vulnerable to a race condition when it is started by init, or by a system administrator. Specifically, it insecurely changes the file permissions of a temporary file. This allows an attacker to make any file on the system world writable.

Exploitation of this vulnerability results in an attacker gaining root privileges on the affected system.

However, in order to exploit this, it is necessary for either the system to be rebooted, or for the administrator to manually restart the XFS.

Vendor Status:
Red Hat has released errata updates for versions 4 and 5 of their
Enterprise Linux software. More information is available at the URLs shown
below.
https://rhn.redhat.com/errata/RHSA-2007-0519.html
https://rhn.redhat.com/errata/RHSA-2007-0520.html

CVE Information:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3103

Disclosure Timeline:
* 06/05/2007 - Initial vendor notification
* 06/06/2007 - Initial vendor response
* 07/12/2007 - Coordinated public disclosure

ADDITIONAL INFORMATION
The information has been provided by iDefense.
The original article can be found at:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=557

What bringing us together is stronger than what pulling us apart.

[Question] Re: Red Hat Enterprise Linux init.d XFS Script chown Race	20/07/2007 00:05:59 (+0700) \| #2 \| 72326

xnohat
Moderator

Joined: 30/01/2005 13:59:19
Messages: 1210
Location: /dev/null
Offline

conmale wrote:

However, in order to exploit this, it is necessary for either the system to be rebooted, or for the administrator to manually restart the XFS.

Anh quên không tô đậm hai thứ này smilie

) . Thật khó mà reboot hệ thống hay restart X Font Server khi mà không có root privileges. Nếu em đã có root privileges thì em còn exploit nó làm gì nữa. smilie

)

iJust clear, "What I need to do and how to do it"/i
br
brBox tán gẫu dời về: http://www.facebook.com/hvaonline

[Question] Re: Red Hat Enterprise Linux init.d XFS Script chown Race	20/07/2007 00:14:55 (+0700) \| #3 \| 72329

conmale
Administrator

Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline

hackernohat wrote:

conmale wrote:

However, in order to exploit this, it is necessary for either the system to be rebooted, or for the administrator to manually restart the XFS.

Anh quên không tô đậm hai thứ này ) . Thật khó mà reboot hệ thống hay restart X Font Server khi mà không có root privileges. Nếu em đã có root privileges thì em còn exploit nó làm gì nữa. )

Em vẫn có thể exploit nó được.

1) em chờ cho server reboot (bảo quản định kỳ, patching... chẳng hạn)

2) em dùng một exploit khác có khả năng làm treo server, làm CPU high load liên tục.

Miễn sao server restart rồi là xong.

What bringing us together is stronger than what pulling us apart.

Go to:

Users currently in here
1 Anonymous