From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 18 Jul 2007 12:38:16 +0200
Subject: [UNIX] Red Hat Enterprise Linux init.d XFS Script chown Race Condition Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070718101935.DC11C5964@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Red Hat Enterprise Linux init.d XFS Script chown Race Condition
Vulnerability
------------------------------------------------------------------------
SUMMARY
XFS is the X Font Server, and is used to render fonts for the X Window
System. "init.d" refers to the startup and shutdown scripts used by Linux
platforms. At boot and shutdown time, these scripts are run by the init
program to start and stop various system services.
Local exploitation of a race condition vulnerability in Red Hat Inc.'s
Enterprise Linux init.d XFS script allows an attacker to elevate their
privileges to root.
DETAILS
Vulnerable Systems:
* RedHat Enterprise Linux version 4
* Fedora Core 6
* (Other versions may also be affected)
The XFS script is vulnerable to a race condition when it is started by
init, or by a system administrator. Specifically, it insecurely changes
the file permissions of a temporary file. This allows an attacker to make
any file on the system world writable.
Exploitation of this vulnerability results in an attacker gaining root
privileges on the affected system.
However, in order to exploit this, it is necessary for either the system
to be rebooted, or for the administrator to manually restart the XFS.
Vendor Status:
Red Hat has released errata updates for versions 4 and 5 of their
Enterprise Linux software. More information is available at the URLs shown
below.
<https://rhn.redhat.com/errata/RHSA-2007-0519.html>
https://rhn.redhat.com/errata/RHSA-2007-0519.html
<https://rhn.redhat.com/errata/RHSA-2007-0520.html>
https://rhn.redhat.com/errata/RHSA-2007-0520.html
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3103>;
CVE-2007-3103
Disclosure Timeline:
* 06/05/2007 - Initial vendor notification
* 06/06/2007 - Initial vendor response
* 07/12/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=557>;
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=557
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
