Bug 458652 - (CVE-2008-3524) CVE-2008-3524 initscripts: possible system files removal via malicious symlink in /var/{lock,run}
CVE-2008-3524 initscripts: possible system files removal via malicious symlin...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 458504
  Show dependency treegraph
Reported: 2008-08-11 07:38 EDT by Jan Lieskovsky
Modified: 2008-09-29 04:15 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-09-29 04:15:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2008-08-11 07:38:00 EDT
Description of problem:

Description of problem:

/etc/rc.sysinit makes

| find -L /var/lock /var/run ! -type d -exec rm -f {} \;

at every start.  It is common practice to have daemon-writable subdirs below
/var/run or /var/lock (e.g. /var/run/openldap).  When such a daemon is
compromised, an attack could create a

| /var/run/openldap/foo -> /

symlink which wipes whole system at next startup.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. mkdir /var/run/foo
2. chown nobody:nobody /var/run/foo
3. runuser nobody -s /bin/sh 'ln -s / /var/run/foo/bar'
4. reboot

Actual results:

a lot of 'command not found' errors on startup

Additional info:

Kudos to Herbert Poetzl about discovering this vulnerability.
Comment 1 Jan Lieskovsky 2008-08-11 07:40:39 EDT
Low security issue (requires malicious daemon with privileges to write
into /var/run directory), affecting all versions of the initscripts package
as shipped with Red Hat Enterprise Linux 2.1, 3, 4 and 5.
Comment 2 Jan Lieskovsky 2008-08-11 07:45:57 EDT
Bill could you provide your opinion to this issue and if it is worthy
to fix (to include the fix into the initscripts packages as shipped with
Comment 3 Enrico Scholz 2008-08-19 03:33:59 EDT
afais, RHEL is *not* affected. This bug was introduced in F9 first by

Comment 4 Tomas Hoger 2008-08-21 09:32:07 EDT
Sadly enough, some Fedora packages create world-writable subdirectories in /var/run, so they allow any local unprivileged user to take advantage of this flaw without having to exploit a flaw in any daemon service.

Bill, may I ask what was the motivation behind using -L?  Not using it should solve the issue and yet do the cleanup properly.  Or is anything missed if -L is omitted what should be deleted?
Comment 5 Bill Nottingham 2008-08-22 16:35:14 EDT
There was a reason, as it was even added in a separate commit after the first one. But I'm not recalling what it was.

I can always just remove it, push a test update, and see what breaks. It certainly works in smoke testing.
Comment 6 Tomas Hoger 2008-08-25 04:11:12 EDT
It looks like the change referenced by Enrico was done to make sure socket and symlink files in /var/{lib,run} are removed, which was not done with -type f.  Along with '-type f' -> '! -type d' change, -L was added.  Any file that exists in /var/{lib,run} should have a non-symlink path to it, so we do not seem to need to follow symlinks.
Comment 8 Fedora Update System 2008-08-29 13:14:54 EDT
initscripts-8.76.3-1 has been submitted as an update for Fedora 9.
Comment 9 Fedora Update System 2008-09-24 20:14:42 EDT
initscripts-8.76.3-1 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Red Hat Product Security 2008-09-29 04:15:36 EDT
This issue was addressed in:


Note You need to log in before you can comment on or make changes to this bug.