FW: REACT Advisory 2001-12-069, Hardlink Vulnerability in "script " Command

Subject: FW: REACT Advisory 2001-12-069, Hardlink Vulnerability in "script " Command
From: Wadell, Jim S (SAIC) (WadellJS@BP.com)
Date: Mon Dec 17 2001 - 16:24:50 AKST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: W.D.McKinney: "Wireless base stations"
• Previous message: Bill Updegraff: "List Server Problem(Majordomo?)"

-----Original Message-----
From: Jenkinson, John P (SAIC)
Sent: Monday, December 17, 2001 4:13 PM
To: G ANC UNIX Support
Subject: REACT Advisory 2001-12-069, Hardlink Vulnerability in "script"
Command

///////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
              _______ ______ _______ _______
             / / / /\ \ \
            / / / / \ \ \
           /______ / /____ /____\ \ \
          / \ / / \ \ \
         / \ / / \ \ \
        / \ /______ / \ \_______ \
                          Predictive Systems
                   Rapid Emergency Action Crisis Team
                           SECURITY ADVISORY
 
This is an automated advisory from the Predictive Systems REACT advisory
service. Please do not reply to this message as it was sent from an
automated mailbox. Comments or questions about this specific advisory
should be addressed to soc@predictive.com.
 
 

                             2001-12-069

///////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

SUBJECT: Hardlink Vulnerability in "script" Command

RISK FACTOR: 3

RISK FACTOR EXPLANATION: It is not likely that root users execute
'script' in a user's home directory.

IMPACT: Unauthorized Access

SUMMARY: A vulnerability exists in the "script" command, which is part
of the util-linux package.

PLATFORMS AFFECTED: Servers,Workstations

Hardware: Intel,Alpha,Sparc

Operating Systems: LINUX

Applications:

BACKGROUND: Util-linux is a suite of essential utilities for any Linux
system. This hardlink vulnerability could overwrite any file on the
hard disk. 'Script' is tool to save terminal sessions for later
reference, it creates a file called typescript for its log by default.
A malicious user could place a hardlink 'typescript' to /etc/passwd
in his home directory. If the root user executes 'script' in that
directory it would cause 'script' to overwrite that file.

RECOMMENDATIONS: Predictive Systems is not aware of any vendor-supplied
patches available.

VENDOR-SUPPLIED INFORMATION: None

///////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Predictive Systems would like to thank NewOrder
for information used in the preparation of this advisory.
RCM

///////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

REACT provides security incident response and other information
security services for customers concerned about protecting information
assets. REACT provides general information security advisories about
threats to information systems, as well as more detailed advisories
concerning threats to particular industries, companies, platforms, or
services. Information contained in the advisories is collected from
both public sources and Global proprietary sources. The information
contained in these advisories is intended to assist Global customers in
responding to information security threats. Anyone interested in
obtaining additional information about REACT services and capabilities
can use the following:

   Voice Phone Number - 1-888-REACT-1-2 (within US)
                    or 1-703-375-2910
   E-mail - soc@predictive.com
   FAX 703-375-2427
   Website - http://www.predictive.com

REACT is a member of the Forum of Incident Response and Security Teams
(FIRST), an international coalition of incident response teams from
government, commercial, and academic organizations. The mission of
FIRST is to foster cooperation and coordination in incident prevention,
response, and information sharing within the security community. For
more information on FIRST, review the organization web page at
www.first.org.

(c) 2001 Global Integrity Corporation, all rights reserved. Global
REACT advisories are the property of Global Integrity Corporation.
Advisories may be freely distributed within a customer's organization.
They may not be distributed to outside parties without the express
permission of Global Integrity. Neither REACT nor any of its
employees or agents make any warranty, express or implied, or assume
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product or process disclosed, or
remedies described, orrepresents that its use would not infringe
privately owned rights. It is expressly understood that the
publication or distribution of REACT advisories may reveal
information security vulnerabilities, and that these vulnerabilities
may be exploited once they become known. Recipients are cautioned to
treat such vulnerability information with great care. REACT accepts
no liability or responsibility for the failure of any individual to
promptly correct any vulnerabilities revealed by REACT advisories,
and the disclaims any liability in the event a vulnerability is not
reported by REACT. REACT endorses no particular product or service,
and does not warrant the effectiveness or appropriateness of any
particular product or service. The views and opinions of the authors
expressed herein shall not be used for advertising or product
endorsement purposes.

• Next message: W.D.McKinney: "Wireless base stations"
• Previous message: Bill Updegraff: "List Server Problem(Majordomo?)"

This archive was generated by hypermail 2a23 : Mon Dec 17 2001 - 16:26:03 AKST