GNOME GDM 不安全临时文件创建漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1166352 漏洞类型 后置链接
发布时间 2013-09-05 更新时间 2013-10-04
CVE编号 CVE-2013-4169 CNNVD-ID CNNVD-201309-049
漏洞平台 N/A CVSS评分 6.9
|漏洞来源
https://www.securityfocus.com/bid/62247
https://cxsecurity.com/issue/WLB-2013090055
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201309-049
|漏洞详情
GNOMEDisplayManager(GDM,GNOME显示管理器)是GNOME项目所研发的一种GNOME显示环境的管理器,也是一个图形化登录程序。gdm2.21.1之前的版本中存在竞争条件漏洞。本地攻击者可通过对/tmp/.X11-unix/系统临时目录实施符号链接攻击,利用该漏洞更改任意目录的权限,覆盖任意文件内容。
|漏洞EXP
As per the distros@ list recommendations, I'm writing to alert of a
problem with older versions of GDM.  As per our bugzilla [1]:

Vladz reported that GDM versions < 2.21.1 were vulnerable to a TOCTTOU
(time of check to time of use) flaw in the way that GDM checked for the
existence of, and created if missing, the /tmp/.X11-unix/ special
directory.  A local attacker could use this flaw to overwrite arbitrary
file contents via symbolic link attacks or to manipulate the contents of
arbitrary files, including those files owned by the root user that would
normally be inaccessible.  This is because GDM will chown /tmp/.X11-unix
to the user and group root, but also changes the permissions to 1777.

Newer versions of GDM no longer create the /tmp/.X11-unix/ directory and
are thus not vulnerable to this flaw.

This issue was assigned CVE-2013-4169.  We fixed the problem by having
rc.sysinit pre-create /tmp/.X11-unix at boot, like it does for
/tmp/.ICE-unix (and removing the offending code from GDM).


[1] https://bugzilla.redhat.com/show_bug.cgi?id=988498

|受影响的产品
Red Hat Enterprise Linux Desktop 5 client Red Hat Enterprise Linux 5 Server Oracle Enterprise Linux 5 MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5
|参考资料

来源:bugzilla.redhat.com
链接:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=988498
来源:SECUNIA
名称:54661
链接:http://secunia.com/advisories/54661
来源:REDHAT
名称:RHSA-2013:1213
链接:http://rhn.redhat.com/errata/RHSA-2013-1213.html
来源:BID
名称:62247
链接:http://www.securityfocus.com/bid/62247