The 'makewhatis' script in the Linux man package allows local users to overwrite files via a symlink attack.
The 'makewhatis' program is a Bourne shell script that ships with many Linux distributions in the 'man' package of programs. The 'makewhatis' script creates files in the /tmp directory with predictable names. By using various symlink attacks, it is possible for local users to exploit this predictability to create or modify arbitrary files and gain elevated privilege. In addition, the 'makewhatis' script is run daily to rebuild the database used by the 'whatis' command. Local users may be able to read any system file by forcing a copy of it into the 'whatis' database.
The man package version 1.5e and higher is vulnerable to this flaw.
Many distributions of Linux contain the 'man' package. The vulnerability in 'makewhatis' can be exploited by local users to corrupt privileged (root) files on the system or to gain elevated privileges.
Versions of Linux in affected distributions should be upgraded.
Thanks to Red Hat for the information contained in their security advisory.
This document was written by Andrew P. Moore.
|Date First Published:||2001-06-18|
|Date Last Updated:||2001-06-18 17:24 UTC|