Overview
There may be a race condition during the creation of Kerberos ticket files in the /tmp directory. This race condition may allow intruders with local access to the system to gain root privileges.
Description
During the creation of ticket files in the /tmp directory, a sequence of calls occur which may allow a local attacker to replace the ticket file with a symbolic link. If this symbolic link is followed when the ownership of the ticket file is set, the attacker may be able to gain ownership of files initially owned by root. |
Impact
On systems where the sticky bit is not set on the /tmp directory, a local attacker can gain ownership of any file on the system. This allows the attacker to gain root privileges. This attack may also be possible on systems where the /tmp directory does have its sticky bit set, depending on the exact sequence of calls used to create and set the ownership of the Kerberos ticket file. |
Solution
Apply a patch from your vendor. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Jouko Pynnönen for reporting this vulnerability to the CERT/CC, and to Assar Westerlund for assisting in the development of this document.
This document was written by Cory F Cohen.
Other Information
| CVE IDs: | CVE-2001-0094 |
| Severity Metric: | 8.19 |
| Date Public: | 2000-12-09 |
| Date First Published: | 2000-12-19 |
| Date Last Updated: | 2001-01-11 15:20 UTC |
| Document Revision: | 9 |