Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps A-M :: lnx4888.htm

apmd possible Symlink Attack
4th Dec 2001 [SBWID-4888]



	 Red Hat 7.2 \"Enigma\" with installed apmd-3.0final-34 package

	 previous Red Hat distributions are not affected

	 because vulnerability was introduced by a script being not in the official apmd package, most other GNU/Linux distributions are not affected



	Enrico Scholz reported following :

	/etc/sysconfig/apm-scripts/apmscript executes the line

	|    touch /tmp/LOW_POWER



	 - the APM system signals a low-battery state and

	 - if $LOWPOWER_SERVICES is not empty (it defaults to \"atd crond\")


	Because the apmscript is  executed  as  the  superuser,  some  kinds  of
	symlink attacks are possible.

	Vulnerability is exploitable on a small amount of  systems  because  the
	APM low-battery state is signaled on laptops or special machines only.

	Because the content of the touch\'ed file will not be modified it  seems
	to be hard to gain additional privileges. But DoS attacks are possible.

	 Proof of concept




	[otheruser@bar]$ ssh foo

	[otheruser@foo]$ exit


	[joeuser@foo]$ ln -s /etc/nologin /tmp/LOW_POWER

	 ...[provoke low-battery state; e.g. cut powerline and wait some time] ...


	[otheruser@bar]$ ssh foo

	Connection to foo closed.





	No official solution yet.




	Remove line in apmscript file.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH