There may be a race condition during the creation of Kerberos ticket files in the /tmp directory. This race condition may allow intruders with local access to the system to gain root privileges.
During the creation of ticket files in the /tmp directory, a sequence of calls occur which may allow a local attacker to replace the ticket file with a symbolic link. If this symbolic link is followed when the ownership of the ticket file is set, the attacker may be able to gain ownership of files initially owned by root.
On systems where the sticky bit is not set on the /tmp directory, a local attacker can gain ownership of any file on the system. This allows the attacker to gain root privileges.
This attack may also be possible on systems where the /tmp directory does have its sticky bit set, depending on the exact sequence of calls used to create and set the ownership of the Kerberos ticket file.
Apply a patch from your vendor.
Apple Not Affected
Compaq Computer Corporation Not Affected
Fujitsu Not Affected
IBM Not Affected
Microsoft Not Affected
Data General Unknown
Hewlett Packard Unknown
KTH Kerberos Unknown
Washington University Unknown
Thanks to Jouko Pynnönen for reporting this vulnerability to the CERT/CC, and to Assar Westerlund for assisting in the development of this document.
This document was written by Cory F Cohen.
|Date First Published:||2000-12-19|
|Date Last Updated:||2001-01-11 15:20 UTC|