Bug 458652 (CVE-2008-3524) - CVE-2008-3524 initscripts: possible system files removal via malicious symlink in /var/{lock,run}
Summary: CVE-2008-3524 initscripts: possible system files removal via malicious symlin...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-3524
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 458504
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-11 11:38 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-29 08:15:36 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2008-08-11 11:38:00 UTC 
Description of problem:

Description of problem:

/etc/rc.sysinit makes

| find -L /var/lock /var/run ! -type d -exec rm -f {} \;

at every start.  It is common practice to have daemon-writable subdirs below
/var/run or /var/lock (e.g. /var/run/openldap).  When such a daemon is
compromised, an attack could create a

| /var/run/openldap/foo -> /

symlink which wipes whole system at next startup.


Version-Release number of selected component (if applicable):

initscripts-8.76.2-1.x86_64


How reproducible:

100%

Steps to Reproduce:
1. mkdir /var/run/foo
2. chown nobody:nobody /var/run/foo
3. runuser nobody -s /bin/sh 'ln -s / /var/run/foo/bar'
4. reboot

Actual results:

a lot of 'command not found' errors on startup


Additional info:

Kudos to Herbert Poetzl about discovering this vulnerability.
Comment 1 Jan Lieskovsky 2008-08-11 11:40:39 UTC 
Low security issue (requires malicious daemon with privileges to write
into /var/run directory), affecting all versions of the initscripts package
as shipped with Red Hat Enterprise Linux 2.1, 3, 4 and 5.
Comment 2 Jan Lieskovsky 2008-08-11 11:45:57 UTC 
Bill could you provide your opinion to this issue and if it is worthy
to fix (to include the fix into the initscripts packages as shipped with
RHEL*).
Comment 3 Enrico Scholz 2008-08-19 07:33:59 UTC 
afais, RHEL is *not* affected. This bug was introduced in F9 first by

http://git.fedorahosted.org/git/?p=initscripts.git;a=commitdiff;h=b8fbfde343e39337bcbddc33cab0bc30ee4fb0e3
Comment 4 Tomas Hoger 2008-08-21 13:32:07 UTC 
Sadly enough, some Fedora packages create world-writable subdirectories in /var/run, so they allow any local unprivileged user to take advantage of this flaw without having to exploit a flaw in any daemon service.

Bill, may I ask what was the motivation behind using -L?  Not using it should solve the issue and yet do the cleanup properly.  Or is anything missed if -L is omitted what should be deleted?
Comment 5 Bill Nottingham 2008-08-22 20:35:14 UTC 
There was a reason, as it was even added in a separate commit after the first one. But I'm not recalling what it was.

I can always just remove it, push a test update, and see what breaks. It certainly works in smoke testing.
Comment 6 Tomas Hoger 2008-08-25 08:11:12 UTC 
It looks like the change referenced by Enrico was done to make sure socket and symlink files in /var/{lib,run} are removed, which was not done with -type f.  Along with '-type f' -> '! -type d' change, -L was added.  Any file that exists in /var/{lib,run} should have a non-symlink path to it, so we do not seem to need to follow symlinks.
Comment 8 Fedora Update System 2008-08-29 17:14:54 UTC 
initscripts-8.76.3-1 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/initscripts-8.76.3-1
Comment 9 Fedora Update System 2008-09-25 00:14:42 UTC 
initscripts-8.76.3-1 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Red Hat Product Security 2008-09-29 08:15:36 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-7667
Note You need to log in before you can comment on or make changes to this bug.