Bug 884658 (CVE-2013-4235)

Summary:	CVE-2013-4235 shadow-utils: TOCTOU race conditions by copying and removing directory trees
Product:	[Other] Security Response	Reporter:	Jan Lieskovsky <jlieskov>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED WONTFIX	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	fedoraproject, fweimer, henri, mitr, pkis, pvrabec, security-response-team, tmraz
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:	A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-03-01 23:44:50 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	884664

Description Jan Lieskovsky 2012-12-06 13:58:52 UTC

A TOCTOU (time-of-check time-of-use) race condition was found in the way shadow-utils, collection of utilities for managing accounts and shadow password files, performed copying and removal of (user) directory trees. A local attacker, with permissions to write into particular directory, could use this flaw to conduct symbolic link attacks, leading to their ability to alter / remove directories outside of this directory (tree), if this directory was modified (copied or removed) via shadow-utils functionality.

This issue was found by Florian Weimer of Red Hat Product Security Team.

Comment 1 Jan Lieskovsky 2012-12-06 14:01:42 UTC

This issue affects the versions of the shadow-utils package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the shadow-utils package, as shipped with Fedora release of 16 and 17.

Comment 6 Tomas Mraz 2012-12-10 10:42:36 UTC

I think this is very low severity problem - the case when the user's home directory is created is in general not real problem at all because when the user is added to the system he does not have password set yet and so he cannot log-in during the time he is added to the system when he could use this race to attack. And even if he would have the password set he would have to know when the system administrator calls the useradd exactly.

The userdel and removing is just slightly more serious - but I'd expect the administrator to verify that the user does not have any running processes on the system before he tries to remove the user from the system.

Comment 7 Florian Weimer 2012-12-10 10:45:10 UTC

(In reply to comment #6)
> The userdel and removing is just slightly more serious - but I'd expect the
> administrator to verify that the user does not have any running processes on
> the system before he tries to remove the user from the system.

I agree that these issues are not severe.  But checking that a user is not logged in is not entirely sufficient because some directories to be removed could have 777 permissions (either accidentally or by design), so other users could participate in an attack.

Comment 11 Doran Moppert 2016-12-29 05:19:09 UTC

Acknowledgments:

Name: Florian Weimer (Red Hat Product Security Team)

Comment 12 Doran Moppert 2021-06-09 00:51:15 UTC

Upstream ticket:

https://github.com/shadow-maint/shadow/issues/317