|
|
|
|
| |
| Advanced Power Management daemon as it comes with some versions of RedHat contains a symlink vulnerability that allows a local user to overwrite and create files with root privileges. |
| |
Credit:
The information has been provided by Enrico Scholz.
|
| |
Vulnerable systems:
* RedHat 7.1 and prior
Immune systems:
* RedHat 7.2 "Enigma" with installed apmd-3.0final-34
* Most other GNU/Linux distributions are not affected (Due to a custom made script used by Red Hat)
The /etc/sysconfig/apm-scripts/apmscript executes the line
| touch /tmp/LOW_POWER
When
- The APM system signals a low-battery state and
- If $LOWPOWER_SERVICES is not empty (it defaults to "atd crond")
Because the apmscript is executed as the superuser, some kinds of symlink attacks are possible.
Severity:
The vulnerability is exploitable on a small amount of systems because the APM low-battery state is signaled on laptops or special machines only.
Because the content of the touched file will not be modified it seems to be hard to gain additional privileges. However, DoS attacks are possible.
Altogether, the vulnerability seems to have a low severity.
Proof of concept:
$ ssh foo
$ exit
$ ln -s /etc/nologin /tmp/LOW_POWER
...[provoke low-battery state; e.g. cut powerline and wait some time] ...
$ ssh foo
Connection to foo closed.
$
Vendor status:
Red Hat has been informed on 2001-11-16, but has not yet responded.
|
|
|
|
|
