Bug 795853 (CVE-2012-0871)

Summary: CVE-2012-0871 systemd: insecure file creation may lead to elevated privileges
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jlieskov, lpoetter, mschmidt, scorneli, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-22 12:38:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 799086    
Bug Blocks: Embargoed795857    

Description Vincent Danen 2012-02-21 16:28:44 UTC 
Sebastian Krahmer of the SUSE Security Team reported that systemd-logind, a part of the systemd service and system manager, did not create certain special files in a secure way.  systemd-logind is responsible for managing and tracking user login sessions, and if a user were to log into the X11 desktop, it creates entries in /run/user/[username]/X11, where /run/user/[username] is a user-owned directory.  Because systemd-logind does not create the entries in a secure fashion, a malicious user could replace /run/user/[username]/X11 with a symlink to another root-owned directory, such as /etc/pam.d or /etc/cron.d.  This would cause a symlink named "display" to be created in the target directory, which is a symlink to a user-owned file (/tmp/.X11-unix/X0).  Using further attack vectors and this symlink, the malicious user could obtain a root shell, if he could beat two separate race conditions.


Acknowledgements:

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.
Comment 1 Vincent Danen 2012-02-21 16:42:08 UTC 
Sebastian indicated that the following git commit removes the X11/ directory, rendering this ineffective, although it's not known whether this fixes the flaw fully, or simply renders this one avenue ineffective.

http://cgit.freedesktop.org/systemd/systemd/commit/?id=fc3c1c6e091ea16ad5600b145201ec535bbb5d7c
Comment 4 Stefan Cornelius 2012-03-01 09:38:36 UTC 
This is public now:
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00030.html
Comment 6 Tomas Hoger 2012-03-01 12:49:17 UTC 
SUSE bug report:
  https://bugzilla.novell.com/show_bug.cgi?id=747154
Comment 9 Stefan Cornelius 2012-03-01 18:37:31 UTC 
Created systemd tracking bugs for this issue

Affects: fedora-all [bug 799086]
Comment 14 Fedora Update System 2012-03-11 23:20:30 UTC 
systemd-37-15.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.