Bug 795853 (CVE-2012-0871) - CVE-2012-0871 systemd: insecure file creation may lead to elevated privileges
Summary: CVE-2012-0871 systemd: insecure file creation may lead to elevated privileges
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-0871
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 799086
Blocks: 795857
TreeView+ depends on / blocked
 
Reported: 2012-02-21 16:28 UTC by Vincent Danen
Modified: 2019-09-29 12:50 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-22 12:38:29 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Novell 747154 None None None Never

Description Vincent Danen 2012-02-21 16:28:44 UTC
Sebastian Krahmer of the SUSE Security Team reported that systemd-logind, a part of the systemd service and system manager, did not create certain special files in a secure way.  systemd-logind is responsible for managing and tracking user login sessions, and if a user were to log into the X11 desktop, it creates entries in /run/user/[username]/X11, where /run/user/[username] is a user-owned directory.  Because systemd-logind does not create the entries in a secure fashion, a malicious user could replace /run/user/[username]/X11 with a symlink to another root-owned directory, such as /etc/pam.d or /etc/cron.d.  This would cause a symlink named "display" to be created in the target directory, which is a symlink to a user-owned file (/tmp/.X11-unix/X0).  Using further attack vectors and this symlink, the malicious user could obtain a root shell, if he could beat two separate race conditions.


Acknowledgements:

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.

Comment 1 Vincent Danen 2012-02-21 16:42:08 UTC
Sebastian indicated that the following git commit removes the X11/ directory, rendering this ineffective, although it's not known whether this fixes the flaw fully, or simply renders this one avenue ineffective.

http://cgit.freedesktop.org/systemd/systemd/commit/?id=fc3c1c6e091ea16ad5600b145201ec535bbb5d7c

Comment 4 Stefan Cornelius 2012-03-01 09:38:36 UTC
This is public now:
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00030.html

Comment 6 Tomas Hoger 2012-03-01 12:49:17 UTC
SUSE bug report:
  https://bugzilla.novell.com/show_bug.cgi?id=747154

Comment 9 Stefan Cornelius 2012-03-01 18:37:31 UTC
Created systemd tracking bugs for this issue

Affects: fedora-all [bug 799086]

Comment 14 Fedora Update System 2012-03-11 23:20:30 UTC
systemd-37-15.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.