Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SUSE-SA:2005:062: permissions

🗓️ 24 Oct 2005 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 14 Views

SUSE-SA:2005:062 permissions patch for SUSE LINUX includes chkstat program to set directory permissions 'easy', 'secure' and 'paranoid' levels, preventing malicious hardlink trick to gain access to sensitive files like /etc/shadow

Code
#%NASL_MIN_LEVEL 70300

#
# (C) Tenable Network Security, Inc.
#
# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2005:062
#


if ( ! defined_func("bn_random") ) exit(0);

include('deprecated_nasl_level.inc');
include('compat.inc');

if(description)
{
 script_id(20083);
 script_version("1.9");
 
 name["english"] = "SUSE-SA:2005:062: permissions";
 
 script_name(english:name["english"]);
 
 script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a vendor-supplied security patch" );
 script_set_attribute(attribute:"description", value:
"The remote host is missing the patch for the advisory SUSE-SA:2005:062 (permissions).


SUSE LINUX ships with three pre defined sets of permissions, 'easy',
'secure' and 'paranoid'. The chkstat program contained in the
permissions package is used to set those permissions to the chosen
level. Level 'easy' which is the default allows some world writeable
directories. /usr/src/packages/RPMS and subdirectories is among
them. To prevent users from playing tricks in there e.g. linking to
/etc/shadow chkstat doesn't touch symlinks or files with an hardlink
count != 1.

Stefan Nordhausen discovered a way to trick this check. To gain
access to e.g. /etc/shadow a malicious user has to place a hardlink
to that file at a place that is modified by chkstat. chkstat will
not touch the file because it has a hardlink count of two. However,
if the administrator modifies the user database the original
/etc/shadow gets deleted and replaced by a new one. That means the
hardlink count of the file created by the malicious user drops to
one. At this point chkstat will modify the file's permissions so
anyone can read it. So it's technically impossible for chkstat to
modify permissions of files in world writeable directories in a
secure way.

One such world writeable directoy in level 'easy' is
/usr/src/packages/RPMS. Only subdirectories need to be adjusted in
this case. Since normal users cannot create hard links to
directories the problem can be solved by telling chkstat to not
accept regular files. Another problematic directory is /var/games.
Only members of group 'games' may write to it but it's likely that
games with setgid 'games' are exploitable to allow user to gain
group 'games' membership.

The updated permissions package now tells chkstat when to only
accept directories and no longer touches anything below /var/games
to solve the described problems. On SUSE Linux 9.0 xmcd contained
world writeable directories that suffered from the same problems.
Updated xmcd packages for SUSE Linux 9.0 are therefore provided as
well.

We like to thank Stefan Nordhausen for pointing out the problems." );
 script_set_attribute(attribute:"solution", value:
"http://www.suse.de/security/advisories/2005_62_permissions.html" );
 script_set_attribute(attribute:"risk_factor", value:"Medium" );



 script_set_attribute(attribute:"plugin_publication_date", value: "2005/10/24");
 script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");
 script_end_attributes();

 
 summary["english"] = "Check for the version of the permissions package";
 script_summary(english:summary["english"]);
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.");
 family["english"] = "SuSE Local Security Checks";
 script_family(english:family["english"]);
 
 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/SuSE/rpm-list");
 exit(0);
}

include("rpm.inc");
if ( rpm_check( reference:"filesystem-10.0-4.2", release:"SUSE10.0") )
{
 security_warning(0);
 exit(0);
}
if ( rpm_check( reference:"permissions-2005.10.20-0.1", release:"SUSE10.0") )
{
 security_warning(0);
 exit(0);
}
if ( rpm_check( reference:"permissions-2005.10.20-3", release:"SUSE9.0") )
{
 security_warning(0);
 exit(0);
}
if ( rpm_check( reference:"xmcd-3.0.2-552", release:"SUSE9.0") )
{
 security_warning(0);
 exit(0);
}
if ( rpm_check( reference:"permissions-2005.10.20-0.2", release:"SUSE9.1") )
{
 security_warning(0);
 exit(0);
}
if ( rpm_check( reference:"permissions-2005.10.20-0.1", release:"SUSE9.2") )
{
 security_warning(0);
 exit(0);
}
if ( rpm_check( reference:"permissions-2005.10.20-0.1", release:"SUSE9.3") )
{
 security_warning(0);
 exit(0);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Jan 2021 00:00Current
5.3Medium risk
Vulners AI Score5.3
suse linuxchkstat programdirectory permissionsworld writeable directorieshardlink tricksensitive files/etc/shadowmalicious usergroup 'games'xmcd packagestefan nordhausen
14