Bug 795853 - (CVE-2012-0871) CVE-2012-0871 systemd: insecure file creation may lead to elevated privileges
CVE-2012-0871 systemd: insecure file creation may lead to elevated privileges
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120229,repo...
: Security
Depends On: 799086
Blocks: 795857
  Show dependency treegraph
 
Reported: 2012-02-21 11:28 EST by Vincent Danen
Modified: 2012-03-22 08:38 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-22 08:38:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Novell 747154 None None None Never

  None (edit)
Description Vincent Danen 2012-02-21 11:28:44 EST
Sebastian Krahmer of the SUSE Security Team reported that systemd-logind, a part of the systemd service and system manager, did not create certain special files in a secure way.  systemd-logind is responsible for managing and tracking user login sessions, and if a user were to log into the X11 desktop, it creates entries in /run/user/[username]/X11, where /run/user/[username] is a user-owned directory.  Because systemd-logind does not create the entries in a secure fashion, a malicious user could replace /run/user/[username]/X11 with a symlink to another root-owned directory, such as /etc/pam.d or /etc/cron.d.  This would cause a symlink named "display" to be created in the target directory, which is a symlink to a user-owned file (/tmp/.X11-unix/X0).  Using further attack vectors and this symlink, the malicious user could obtain a root shell, if he could beat two separate race conditions.


Acknowledgements:

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.
Comment 1 Vincent Danen 2012-02-21 11:42:08 EST
Sebastian indicated that the following git commit removes the X11/ directory, rendering this ineffective, although it's not known whether this fixes the flaw fully, or simply renders this one avenue ineffective.

http://cgit.freedesktop.org/systemd/systemd/commit/?id=fc3c1c6e091ea16ad5600b145201ec535bbb5d7c
Comment 4 Stefan Cornelius 2012-03-01 04:38:36 EST
This is public now:
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00030.html
Comment 6 Tomas Hoger 2012-03-01 07:49:17 EST
SUSE bug report:
  https://bugzilla.novell.com/show_bug.cgi?id=747154
Comment 9 Stefan Cornelius 2012-03-01 13:37:31 EST
Created systemd tracking bugs for this issue

Affects: fedora-all [bug 799086]
Comment 14 Fedora Update System 2012-03-11 19:20:30 EDT
systemd-37-15.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.