[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] tmpwatch root exploit



Synopsis
========
tmpwatch has a local denial of service and root exploit.

Problem description
===================
The tmpwatch program periodically cleans up files in temporary directories
by removing all files older than a certain age.  In Red Hat Linux 6.1, 6.2,
and 7.0, it used fork() to recursively process subdirectories.  If a
malicious user created many layers of subdirectories (thousands) in a
temporary directory monitored by tmpwatch, the system process table would
fill up, requiring a reboot.

Additionally, tmpwatch in RH 6.2 and RH 7.0 contains an option, "--fuser", that
attempts to use the fuser command to check if a file is in use before
removal.  However, it executed fuser with the system() call in an insecure
fashion.  A malicious user could construct an environment such that this
provided them a local root shell.  Tmpwatch now uses execle() to run fuser.

Solution
========
RedHat 6.1, 6.2
upgrade to version 2.6.2-1.6.2, i.e.,
rpm -Fvh tmpwatch-2.6.2-1.6.2.i386.rpm

RedHat 7.0
upgrade to version 2.6.2-1.7, i.e.,
rpm -Fvh tmpwatch-2.6.2-1.7.i386.rpm

RedHat 6.0
not affected.

Mandrake 6.x, 7.x
upgrade to version 2.6.2-1mdk, i.e.,
rpm -Fvh tmpwatch-2.6.2-1mdk.i586.rpm