search menu icon-carat-right cmu-wordmark

CERT Coordination Center

mgetty creates temporary files insecurely

Vulnerability Note VU#396272

Original Release Date: 2001-10-01 | Last Revised: 2001-11-08

Overview

mgetty, a replacement for getty designed to support modem and fax use, creates files of a predictable name in a world-writable directory without checking for the prior existence or ownership of the file. Using a symbolic link attack, an intruder might cause the overwrite of arbitrary files on the system, but the risk of elevated privileges is low.

Description

mgetty uses the faxrunq service to process faxes. This involves use of the world-writable /var/spool/fax/outgoing/ directory to store temporary files. These temporary files are created without checking for prior existence or ownership of the files.

Impact

By creating a symbolic link named '.last_run' and pointing towards any existing file, an attacker can cause mgetty to overwrite the file. Since the attacker cannot control the content of the overwritten file, the risk of exploiting this for elevated privileges is low.

Solution

Apply vendor patches; see the Systems Affected section below.

Disable the faxrunq service.

Vendor Information

396272
 

View all 25 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was first identified by Greg Kroah-Hartman of Immunix.

This document was last changed by Tim Shimeall.

Other Information

CVE IDs: CVE-2001-0141
Severity Metric: 1.13
Date Public: 2001-01-10
Date First Published: 2001-10-01
Date Last Updated: 2001-11-08 18:10 UTC
Document Revision: 17

Sponsored by CISA.