shadow-utils useradd creates temporary files insecurely

Overview

Shadow-utils is an encryption and account management package freely distributed for many Linux implementations. The useradd program in this package creates insecure temporary files with predictable names in a write-protected directory. If this directory is changed to be writable, an attacker may be able to use a symbolic link attack to overwrite arbitrary files.

Description

The useradd program calls the passwd program, which stores temporary files with predictable names in /etc/default, a protected directory. The program does not check for prior existence or ownership of these files. Useradd normally runs with setuid root privileges.

---

Impact

If /etc/default is changed to be world-writable, an attacker may be able to create a symbolic link with predictable name, and point it to any writable file on the system. This may cause corruption of the file.

---

Solution

Apply vendor patches; see the Systems Affected section below.

---

Change /etc/default to not be world-writable.

---

Vendor Information

424080

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Immunix __ Affected

Notified: January 10, 2001 Updated: October 04, 2001

Status

Affected

Vendor Statement

<http://www.linuxsecurity.com/advisories/other_advisory-1034.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23424080 Feedback>).

MandrakeSoft __ Affected

Notified: January 10, 2001 Updated: October 04, 2001

Status

Affected

Vendor Statement

<http://www.linux-mandrake.com/en/updates/2001/MDKSA-2001-007.php3?dis=7.2&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23424080 Feedback>).

Caldera __ Not Affected

Notified: October 09, 2001 Updated: October 29, 2001

Status

Not Affected

Vendor Statement

None of our currently released Linux products contains world writeable /etc/default/ directory. => Not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23424080 Feedback>).

Debian Unknown

Notified: October 09, 2001 Updated: November 08, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23424080 Feedback>).

IBM Unknown

Notified: October 09, 2001 Updated: November 08, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23424080 Feedback>).

Sequent Unknown

Notified: October 09, 2001 Updated: November 08, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23424080 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/2196&gt;
• <http://www.linux-mandrake.com/en/updates/2001/MDKSA-2001-007.php3?dis=7.2&gt;
• <http://www.linuxsecurity.com/advisories/other_advisory-1034.html&gt;

Acknowledgements

This vulnerability was first reported by Greg Kroah-Hartman

This document was last modified by Tim Shimeall.

Other Information

CVE IDs:	CVE-2001-0120
Severity Metric:	0.30 Date Public: