{"vuid":"VU#405955","idnumber":"405955","name":"util-linux package vulnerable to privilege escalation when \"ptmptmp\" file is not removed properly when using \"chfn\" utility","keywords":["util-linux","privilege escalation","ptmptmp","chfn utility","file descriptor","lock file"],"overview":"The util-linux package contains a race condition vulnerability that can be used to elevate privileges on the system.","clean_desc":"util-linux is shipped with Red Hat Linux and numerous other Linux distributions. It contains a collection of utility programs, such as fstab, mkfs, and chfn. The BindView RAZOR Team has discovered that because setpwnam.c inadequately locks a temporary file used when making changes to /etc/passwd, a race condition can be used to elevate privileges on the system. For further details, please see the Bindview Advisory.","impact":"A local user may be able to elevate their privileges on the system.","resolution":"Apply a patch from your vendor, or, an immediate workaround (provided by BindView) is to remove setuid flags from /usr/bin/chfn and /usr/bin/chsh. To remediate the vulnerability, patch the source code as follows. --- util-linux-2.11n-old/login-utils/setpwnam.c Mon Jul 31 08:50:39 2000\n+++ util-linux-2.11n/login-utils/setpwnam.c     Wed Jun 12 21:37:12 2002\n@@ -98,7 +98,8 @@\n     /* sanity check */\n     for (x = 0; x < 3; x++) {\n        if (x > 0) sleep(1); -       fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT, 0644); +        // Never share the temporary file. +       fd = open(PTMPTMP_FILE, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) {\n            umask(oldumask); return -1;","workarounds":"","sysaffected":"","thanks":"Thanks to Michal Zalewski, BindView RAZOR, for reporting this vulnerability.","author":"This document was written by Ian A Finlay.","public":["h","t","t","p",":","/","/","w","w","w",".","s","e","c","u","r","i","t","y","f","o","c","u","s",".","c","o","m","/","b","i","d","/","5","3","4","4"],"cveids":["CVE-2002-0638"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-06-13T17:12:15Z","publicdate":"2002-07-29T00:00:00Z","datefirstpublished":"2002-07-29T18:57:48Z","dateupdated":"2003-05-30T17:13:00Z","revision":19,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"0","cam_exploitation":"10","cam_internetinfrastructure":"5","cam_population":"15","cam_impact":"20","cam_easeofexploitation":"13","cam_attackeraccessrequired":"10","cam_scorecurrent":"10.96875","cam_scorecurrentwidelyknown":"25.59375","cam_scorecurrentwidelyknownexploited":"32.90625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":10.96875,"vulnote":null}