Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 884658 - (CVE-2013-4235) CVE-2013-4235 shadow-utils: TOCTOU race conditions by copying and removing directory trees
CVE-2013-4235 shadow-utils: TOCTOU race conditions by copying and removing di...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20150206,reported=2...
: Security
Depends On:
Blocks: 884664
  Show dependency treegraph
 
Reported: 2012-12-06 08:58 EST by Jan Lieskovsky
Modified: 2018-03-01 18:44 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-03-01 18:44:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jan Lieskovsky 2012-12-06 08:58:52 EST 
A TOCTOU (time-of-check time-of-use) race condition was found in the way shadow-utils, collection of utilities for managing accounts and shadow password files, performed copying and removal of (user) directory trees. A local attacker, with permissions to write into particular directory, could use this flaw to conduct symbolic link attacks, leading to their ability to alter / remove directories outside of this directory (tree), if this directory was modified (copied or removed) via shadow-utils functionality.

This issue was found by Florian Weimer of Red Hat Product Security Team.
Comment 1 Jan Lieskovsky 2012-12-06 09:01:42 EST 
This issue affects the versions of the shadow-utils package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the shadow-utils package, as shipped with Fedora release of 16 and 17.
Comment 6 Tomas Mraz 2012-12-10 05:42:36 EST 
I think this is very low severity problem - the case when the user's home directory is created is in general not real problem at all because when the user is added to the system he does not have password set yet and so he cannot log-in during the time he is added to the system when he could use this race to attack. And even if he would have the password set he would have to know when the system administrator calls the useradd exactly.

The userdel and removing is just slightly more serious - but I'd expect the administrator to verify that the user does not have any running processes on the system before he tries to remove the user from the system.
Comment 7 Florian Weimer 2012-12-10 05:45:10 EST 
(In reply to comment #6)
> The userdel and removing is just slightly more serious - but I'd expect the
> administrator to verify that the user does not have any running processes on
> the system before he tries to remove the user from the system.

I agree that these issues are not severe.  But checking that a user is not logged in is not entirely sufficient because some directories to be removed could have 777 permissions (either accidentally or by design), so other users could participate in an attack.
Comment 11 Doran Moppert 2016-12-29 00:19:09 EST 
Acknowledgments:

Name: Florian Weimer (Red Hat Product Security Team)
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.