Bug 884658 (CVE-2013-4235) - CVE-2013-4235 shadow-utils: TOCTOU race conditions by copying and removing directory trees
Summary: CVE-2013-4235 shadow-utils: TOCTOU race conditions by copying and removing di...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2013-4235
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 884664
TreeView+ depends on / blocked
 
Reported: 2012-12-06 13:58 UTC by Jan Lieskovsky
Modified: 2021-06-09 16:12 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.
Clone Of:
Environment:
Last Closed: 2018-03-01 23:44:50 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2012-12-06 13:58:52 UTC
A TOCTOU (time-of-check time-of-use) race condition was found in the way shadow-utils, collection of utilities for managing accounts and shadow password files, performed copying and removal of (user) directory trees. A local attacker, with permissions to write into particular directory, could use this flaw to conduct symbolic link attacks, leading to their ability to alter / remove directories outside of this directory (tree), if this directory was modified (copied or removed) via shadow-utils functionality.

This issue was found by Florian Weimer of Red Hat Product Security Team.

Comment 1 Jan Lieskovsky 2012-12-06 14:01:42 UTC
This issue affects the versions of the shadow-utils package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the shadow-utils package, as shipped with Fedora release of 16 and 17.

Comment 6 Tomas Mraz 2012-12-10 10:42:36 UTC
I think this is very low severity problem - the case when the user's home directory is created is in general not real problem at all because when the user is added to the system he does not have password set yet and so he cannot log-in during the time he is added to the system when he could use this race to attack. And even if he would have the password set he would have to know when the system administrator calls the useradd exactly.

The userdel and removing is just slightly more serious - but I'd expect the administrator to verify that the user does not have any running processes on the system before he tries to remove the user from the system.

Comment 7 Florian Weimer 2012-12-10 10:45:10 UTC
(In reply to comment #6)
> The userdel and removing is just slightly more serious - but I'd expect the
> administrator to verify that the user does not have any running processes on
> the system before he tries to remove the user from the system.

I agree that these issues are not severe.  But checking that a user is not logged in is not entirely sufficient because some directories to be removed could have 777 permissions (either accidentally or by design), so other users could participate in an attack.

Comment 11 Doran Moppert 2016-12-29 05:19:09 UTC
Acknowledgments:

Name: Florian Weimer (Red Hat Product Security Team)

Comment 12 Doran Moppert 2021-06-09 00:51:15 UTC
Upstream ticket:

https://github.com/shadow-maint/shadow/issues/317


Note You need to log in before you can comment on or make changes to this bug.