Shadow Utils useradd utility sets incorrect file permissions

2007-12-14T00:00:00
ID VU:312692
Type cert
Reporter CERT
Modified 2007-12-14T00:00:00

Description

Overview

The Shadow Utilities contain a vulnerability that may result in new user mailboxes having arbitrary permissions.

Description

The Shadow Utilities provide tools to manage user accounts.

When a new mailbox is created using the useradd utility, the open() function does not receive the expected arguments while O_CREAT is present. The result of this error is that random permissions are applied to the new mailbox.


Impact

A local, unprivileged attacker may be able to gain access to newly created mailbox files.


Solution

Affected vendors have released updates to address this issue. Users are encouraged to see the Systems Affected portion of this document for a partial list of affected vendors.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Gentoo Linux| | 17 May 2006| 14 Dec 2007
Apple Computer, Inc.| | 17 May 2006| 23 May 2006
F5 Networks, Inc.| | 17 May 2006| 22 May 2006
Openwall GNU/*/Linux| | 17 May 2006| 17 May 2006
Cisco Systems, Inc.| | 12 May 2006| 12 May 2006
Conectiva Inc.| | 17 May 2006| 17 May 2006
Cray Inc.| | 17 May 2006| 17 May 2006
Debian GNU/Linux| | 17 May 2006| 17 May 2006
EMC, Inc. (formerly Data General Corporation)| | 17 May 2006| 17 May 2006
Engarde Secure Linux| | 17 May 2006| 17 May 2006
Fedora Project| | 17 May 2006| 17 May 2006
FreeBSD, Inc.| | 17 May 2006| 17 May 2006
Fujitsu| | 17 May 2006| 17 May 2006
Hewlett-Packard Company| | 17 May 2006| 17 May 2006
Hitachi| | 17 May 2006| 17 May 2006
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://linux.die.net/man/8/useradd>
  • <http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s1-users-tools.html>
  • <http://www.gentoo.org/security/en/glsa/glsa-200606-02.xml>
  • <http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/shadow-utils/shadow-4.0.4.1-owl-create-mailbox.diff?rev=HEAD>
  • <http://www.securityfocus.com/archive/1/archive/1/468336/100/0/threaded>
  • <https://www.securecoding.cert.org/confluence/x/VQBc>

Credit

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: CVE-2006-1174
  • Date Public: 31 May 2006
  • Date First Published: 14 Dec 2007
  • Date Last Updated: 14 Dec 2007
  • Severity Metric: 0.23
  • Document Revision: 27