updatedb on Redhat

Description:RedHat Linux updatedb/sort insecure tmpfiles
Author:viinikala <kala@DRAGON.CZ>
Compromise:become user 'nobody' via updatedb (or root on a really old distro of RedHat) (local)
Vulnerable Systems:Redhat Linux (presumably 5.0) is very vulnerable due to updatedb calling sort regularly, many other systems (such as Solaris) have an insecure sort. Also FreeBSD 2.2.2 is apparently vulnerable to the same updatedb problem.
Date:28 February 1998
Notes:Dave Goldsmith may have found this first, although I cannot currently access his website for more info.

Date: Sat, 28 Feb 1998 17:32:21 +0100
From: viinikala <kala@DRAGON.CZ>
Subject: x11amp playlist bug


x11 audio mpeg player (x11amp) version 0.65, when installed setuid root
(as suggested by the README file), creates playlist files in ~/.x11amp
while making 'root' the owner of these plaintext files (instead of the
proper user). unfortunatelly, the program DOES follow symlinks, and
overwriting for instance /etc/shadow is therefore trivial:

mkdir ~/.x11amp
ln -s /etc/shadow ~/.x11amp/ekl

now run x11amp, get into the playlist menu, select 'ekl', mark all the
entries and hit 'delete'. no matter if the prg crashes (it might),
/etc/shadow is gone, anyway.

viinikala/rvl&grif <kala@dragon.cz>
i could wrap you up in cotton wool.
Date: Mon, 2 Mar 1998 15:16:41 -0500
From: Kragen <kragen@POBOX.COM>
Subject: Re: overwrite any file with updatedb

On Sun, 1 Mar 1998, Cain wrote:
> in /tmp called sort0<pid>000{1,2,etc}. Each is around 512k. The

On SunOS 5.5.1, the filenames are of the form /var/tmp/stmAAAa003M_aa,
and the files are typically smaller.

The M_ part, at least, appears to change from run to run, but it
doesn't change within a run.

Solaris 5.5.1 sort doesn't check for symlinks before it opens the file;
I have successfully overwritten a file in my home dir this way.

This is similar to the gcc bug.


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: