util-linux chfn and chsh race condition and file locking could allow elevated privileges

utillinux-chfn-race-condition (9709) The risk level is classified as MediumMedium Risk

Description:

A race condition in the /usr/bin/chfn and /usr/bin/chsh utilities could allow a local attacker to gain elevated privileges on the system. A local attacker can exploit this race condition along with a file locking issue to modify the /etc/passwd file and gain elevated privileges. This issue requires a carefully-crafted attack sequence in order to exploit, as well as interaction on the part of an administrator. In addition, the /etc/passwd file must be over 4 KB.


Consequences:

Gain Privileges

Remedy:

For Red Hat Linux:
Upgrade to the latest util-linux package, as listed below. Refer to RHSA-2002:132-14 for more information. See References.

Red Hat 6.2: util-linux-2.10f-7.6.2 or later

Red Hat 7.0: util-linux-2.10m-12.7.0 or later

Red Hat 7.1 and 7.2: util-linux-2.11f-17.7.2 or later

Red Hat 7.3: util-linux-2.11n-12.7.3 or later

For Mandrake Linux:
Upgrade to the latest util-linux package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:047 : util-linux for more information. See References.

Linux-Mandrake 7.1, 7.2, Corporate Server 1.0.1 and Single Network Firewall 7.2: util-linux-2.10o-6.1mdk or later
Mandrake Linux 8.0: util-linux-2.10s-3.2mdk or later
Mandrake Linux 8.0 (PPC), 8.1 and 8.1(IA64): util-linux-2.11h-3.5mdk or later
Mandrake Linux 8.2 and 8.2 (PPC): util-linux-2.11n-4.3mdk or later

For Conectiva Linux:
Upgrade to the latest util-linux package, as listed below. Refer to Conectiva Linux Announcement CLSA-2002:523 for more information. See Reference.

Conectiva Linux 6.0: 2.10o-2U60_1cl or later
Conectiva Linux 7.0: 2.10s-4U70_1cl or later
Conectiva Linux 8.0: 2.11n-4U80_1cl or later

For Caldera OpenLinux 3.1 and 3.1.1 (Server and Workstation):
Upgrade to the latest util-linux package (2.11l-5.1 or later), as listed in SCO Security Advisory CSSA-2002-043.0. See References.

As a workaround, remove setuid flags from /usr/bin/chfn and /usr/bin/chsh.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Platforms Affected:

  • Conectiva Linux 6.0
  • Conectiva Linux 7.0
  • Conectiva Linux 8.0
  • Kernel util-linux
  • MandrakeSoft Mandrake Linux 7.1
  • MandrakeSoft Mandrake Linux 7.2
  • MandrakeSoft Mandrake Linux 8.0 PPC
  • MandrakeSoft Mandrake Linux 8.0
  • MandrakeSoft Mandrake Linux 8.1
  • MandrakeSoft Mandrake Linux 8.1 IA64
  • MandrakeSoft Mandrake Linux 8.2
  • MandrakeSoft Mandrake Linux 8.2 PPC
  • MandrakeSoft Mandrake Linux Corporate Server 1.0.1
  • RedHat Enterprise Linux 2.1 AS
  • RedHat Linux 6.2
  • RedHat Linux 7
  • RedHat Linux 7.1
  • RedHat Linux 7.1 for iSeries
  • RedHat Linux 7.1 for pSeries
  • RedHat Linux 7.2
  • RedHat Linux 7.3
  • SCO Caldera OpenLinux Server 3.1
  • SCO Caldera OpenLinux Server 3.1.1
  • SCO Caldera OpenLinux Workstation 3.1
  • SCO Caldera OpenLinux Workstation 3.1.1

Reported:

Jul 29, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page