[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] tmpwatch root exploit
- To: linux-security
- Subject: [linux-security] tmpwatch root exploit
- Date: Tue, 10 Oct 2000 11:27:55 -0700 (PDT)
Synopsis
========
tmpwatch has a local denial of service and root exploit.
Problem description
===================
The tmpwatch program periodically cleans up files in temporary directories
by removing all files older than a certain age. In Red Hat Linux 6.1, 6.2,
and 7.0, it used fork() to recursively process subdirectories. If a
malicious user created many layers of subdirectories (thousands) in a
temporary directory monitored by tmpwatch, the system process table would
fill up, requiring a reboot.
Additionally, tmpwatch in RH 6.2 and RH 7.0 contains an option, "--fuser", that
attempts to use the fuser command to check if a file is in use before
removal. However, it executed fuser with the system() call in an insecure
fashion. A malicious user could construct an environment such that this
provided them a local root shell. Tmpwatch now uses execle() to run fuser.
Solution
========
RedHat 6.1, 6.2
upgrade to version 2.6.2-1.6.2, i.e.,
rpm -Fvh tmpwatch-2.6.2-1.6.2.i386.rpm
RedHat 7.0
upgrade to version 2.6.2-1.7, i.e.,
rpm -Fvh tmpwatch-2.6.2-1.7.i386.rpm
RedHat 6.0
not affected.
Mandrake 6.x, 7.x
upgrade to version 2.6.2-1mdk, i.e.,
rpm -Fvh tmpwatch-2.6.2-1mdk.i586.rpm