GNU Core Utilities Local Race Condition Vulnerability
BID:13053
Info
GNU Core Utilities Local Race Condition Vulnerability
| Bugtraq ID: | 13053 |
| Class: | Race Condition Error |
| CVE: |
CVE-2005-1039 |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 07 2005 12:00AM |
| Updated: | Jul 12 2009 12:56PM |
| Credit: | Discovery is credited to Imran Ghory <[email protected]>. |
| Vulnerable: |
GNU Coreutils 5.2.1 |
| Not Vulnerable: | |
Discussion
GNU Core Utilities Local Race Condition Vulnerability
It is reported that the mkdir, mknod, mkfifo utilities supplied with GNU Core Utilities 5.2.1 are affected by a race condition error that may allow an attacker to manipulate file permissions leading to various attacks.
Specifically, this issue arises if the attacker has write permissions to a directory where a user is executing mkdir, mknod, or mkfifo with the '-m' switch.
A successful attack can allow the attacker to manipulate file permissions and then carry out other attacks such as disclosing sensitive data, corruption of data and potential privilege escalation.
It is possible that this issue is similar to BID 12954 (BZip2 CHMod File Permission Modification Race Condition Weakness).
It is reported that the mkdir, mknod, mkfifo utilities supplied with GNU Core Utilities 5.2.1 are affected by a race condition error that may allow an attacker to manipulate file permissions leading to various attacks.
Specifically, this issue arises if the attacker has write permissions to a directory where a user is executing mkdir, mknod, or mkfifo with the '-m' switch.
A successful attack can allow the attacker to manipulate file permissions and then carry out other attacks such as disclosing sensitive data, corruption of data and potential privilege escalation.
It is possible that this issue is similar to BID 12954 (BZip2 CHMod File Permission Modification Race Condition Weakness).
Exploit / POC
GNU Core Utilities Local Race Condition Vulnerability
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution / Fix
GNU Core Utilities Local Race Condition Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
GNU Core Utilities Local Race Condition Vulnerability
References:
References:
- Coreutils Homepage (GNU)
- GNU Core Utilities race condition file-permissions vulnerability (Imran Ghory