Overview
mgetty, a replacement for getty designed to support modem and fax use, creates files of a predictable name in a world-writable directory without checking for the prior existence or ownership of the file. Using a symbolic link attack, an intruder might cause the overwrite of arbitrary files on the system, but the risk of elevated privileges is low.
Description
mgetty uses the faxrunq service to process faxes. This involves use of the world-writable /var/spool/fax/outgoing/ directory to store temporary files. These temporary files are created without checking for prior existence or ownership of the files. |
Impact
By creating a symbolic link named '.last_run' and pointing towards any existing file, an attacker can cause mgetty to overwrite the file. Since the attacker cannot control the content of the overwritten file, the risk of exploiting this for elevated privileges is low. |
Solution
Apply vendor patches; see the Systems Affected section below. |
Disable the faxrunq service. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.securityfocus.com/bid/2187
- http://www.caldera.com/support/security/advisories/CSSA-2001-002.0.txt
- http://www.linuxsecurity.com/advisories/caldera_advisory-1059.html
- http://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00000.html
- http://www.linuxsecurity.com/advisories/debian_advisory-1184.html
- ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:71.mgetty.asc
- http://www.linuxsecurity.com/advisories/freebsd_advisory-894.html
- http://www.redhat.com/support/errata/RHSA-2001-050.html
- http://www.linuxsecurity.com/advisories/redhat_advisory-1321.html
- http://www.linux-mandrake.com/en/updates/2001/MDKSA-2001-009.php3?dis=6.1
- http://www.linuxsecurity.com/advisories/other_advisory-1034.html
Acknowledgements
This vulnerability was first identified by Greg Kroah-Hartman of Immunix.
This document was last changed by Tim Shimeall.
Other Information
| CVE IDs: | CVE-2001-0141 |
| Severity Metric: | 1.13 |
| Date Public: | 2001-01-10 |
| Date First Published: | 2001-10-01 |
| Date Last Updated: | 2001-11-08 18:10 UTC |
| Document Revision: | 17 |