Sign-up

ID

VAR-200208-0247


CVE

CVE-2002-0638


TITLE

util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility

Trust: 0.8

sources: CERT/CC: VU#405955

DESCRIPTION

setpwnam.c in the util-linux package, as included in Red Hat Linux 7.3 and earlier, and other operating systems, does not properly lock a temporary file when modifying /etc/passwd, which may allow local users to gain privileges via a complex race condition that uses an open file descriptor in utility programs such as chfn and chsh. The util-linux package contains a race condition vulnerability that can be used to elevate privileges on the system. The util-linux package is a set of commonly used system utilities such as 'chfn' and 'chsh'. It is included with many Linux distributions. The condition is related to file locking. Failure to check for the existence of a lockfile prior to sensitive operations may, under specific circumstances, open a window of opportunity for attack. The util-linux utilities often write to sensitive files such as /etc/passwd/. The reported attacks are complex, time dependent and require specific circumstances such as system administrator interaction and a large passwd file. Red Hat Linux is known to ship with util-linux as a core component. Other distributions, those that are derived from Red Hat in particular, may also be vulnerable. It should be noted that the utilities included with the shadow-utils package (shipped with SuSE Linux) are not vulnerable. The util-linux tool contains multiple tools for performing Linux system functions. For example, the \'\'chfn\'\' tool allows users to modify personal information stored in the /etc/passwd file. To modify this file, the application needs to use Install with setuid root privileges. Under certain conditions, by using the complex file lock and modification operation loopholes in the login-utils/setpwnam.c code in the util-linux tool, the carefully constructed attack sequence can be modified by using the race condition loopholes such as the /etc/passwd file. Privilege escalation. However, to successfully exploit this vulnerability and perform privilege escalation requires some interaction with the administrator. In addition, the password file must exceed 4K bytes, and when a local attacker modifies the /etc/passwd file, the modified entry cannot be placed in the last part of the 4K bytes of the password file

Trust: 2.7

sources: NVD: CVE-2002-0638 // CERT/CC: VU#405955 // JVNDB: JVNDB-2002-000170 // BID: 5344 // VULHUB: VHN-5029

AFFECTED PRODUCTS

vendor:redhatmodel:linuxscope:eqversion:7.2

Trust: 1.9

vendor:redhatmodel:linuxscope:eqversion:7.0

Trust: 1.9

vendor:redhatmodel:linuxscope:eqversion:6.1

Trust: 1.9

vendor:redhatmodel:linuxscope:eqversion:6.0

Trust: 1.9

vendor:redhatmodel:linuxscope:eqversion:6.2

Trust: 1.9

vendor:redhatmodel:linuxscope:eqversion:7.3

Trust: 1.3

vendor:redhatmodel:linuxscope:eqversion:7.1

Trust: 1.3

vendor:mandrakesoftmodel:mandrake linuxscope:eqversion:7.0

Trust: 1.0

vendor:mandrakesoftmodel:mandrake single network firewallscope:eqversion:7.2

Trust: 1.0

vendor:mandrakesoftmodel:mandrake linuxscope:eqversion:7.1

Trust: 1.0

vendor:mandrakesoftmodel:mandrake linuxscope:eqversion:7.2

Trust: 1.0

vendor:mandrakesoftmodel:mandrake linux corporate serverscope:eqversion:1.0.1

Trust: 1.0

vendor:hpmodel:secure osscope:eqversion:1.0

Trust: 1.0

vendor:mandrakesoftmodel:mandrake linuxscope:eqversion:8.2

Trust: 1.0

vendor:mandrakesoftmodel:mandrake linuxscope:eqversion:8.1

Trust: 1.0

vendor:mandrakesoftmodel:mandrake linuxscope:eqversion:8.0

Trust: 1.0

vendor:red hatmodel: - scope: - version: -

Trust: 0.8

vendor:sun microsystemsmodel: - scope: - version: -

Trust: 0.8

vendor:the sco group sco linuxmodel: - scope: - version: -

Trust: 0.8

vendor:sun microsystemsmodel:cobalt raq2scope: - version: -

Trust: 0.8

vendor:sun microsystemsmodel:cobalt raq3scope: - version: -

Trust: 0.8

vendor:sun microsystemsmodel:cobalt raq4scope: - version: -

Trust: 0.8

vendor:sun microsystemsmodel:cobalt raq550scope: - version: -

Trust: 0.8

vendor:sun microsystemsmodel:cobalt raqxtrscope: - version: -

Trust: 0.8

vendor:red hatmodel:linuxscope:eqversion:6.2

Trust: 0.8

vendor:red hatmodel:linuxscope:eqversion:7.0

Trust: 0.8

vendor:red hatmodel:linuxscope:eqversion:7.1

Trust: 0.8

vendor:red hatmodel:linuxscope:eqversion:7.2

Trust: 0.8

vendor:red hatmodel:linuxscope:eqversion:7.3

Trust: 0.8

vendor:redhatmodel:util-linux-2.11n-12.i386.rpmscope: - version: -

Trust: 0.3

vendor:redhatmodel:util-linux-2.10s-12.i386.rpmscope: - version: -

Trust: 0.3

vendor:redhatmodel:util-linux-2.10m-12.i386.rpmscope: - version: -

Trust: 0.3

vendor:redhatmodel:util-linux-2.10f-7.i386.rpmscope: - version: -

Trust: 0.3

vendor:redhatmodel:mount-2.11n-12.i386.rpmscope: - version: -

Trust: 0.3

vendor:redhatmodel:losetup-2.11n-12.i386.rpmscope: - version: -

Trust: 0.3

vendor:redhatmodel:linux ia64scope:eqversion:7.2

Trust: 0.3

vendor:redhatmodel:linux alphascope:eqversion:7.2

Trust: 0.3

vendor:redhatmodel:linux ia64scope:eqversion:7.1

Trust: 0.3

vendor:redhatmodel:linux alphascope:eqversion:7.1

Trust: 0.3

vendor:redhatmodel:linux alphascope:eqversion:7.0

Trust: 0.3

vendor:redhatmodel:linux sparcscope:eqversion:6.2

Trust: 0.3

vendor:redhatmodel:linux alphascope:eqversion:6.2

Trust: 0.3

vendor:redhatmodel:linux sparcscope:eqversion:6.1

Trust: 0.3

vendor:redhatmodel:linux alphascope:eqversion:6.1

Trust: 0.3

vendor:redhatmodel:linux sparcscope:eqversion:6.0

Trust: 0.3

vendor:redhatmodel:linux alphascope:eqversion:6.0

Trust: 0.3

vendor:mandrivamodel:linux mandrake ppcscope:eqversion:8.2

Trust: 0.3

vendor:mandrivamodel:linux mandrakescope:eqversion:8.2

Trust: 0.3

vendor:mandrivamodel:linux mandrake ia64scope:eqversion:8.1

Trust: 0.3

vendor:mandrivamodel:linux mandrakescope:eqversion:8.1

Trust: 0.3

vendor:mandrivamodel:linux mandrake ppcscope:eqversion:8.0

Trust: 0.3

vendor:mandrivamodel:linux mandrakescope:eqversion:8.0

Trust: 0.3

vendor:mandrivamodel:linux mandrakescope:eqversion:7.2

Trust: 0.3

vendor:mandrivamodel:linux mandrakescope:eqversion:7.1

Trust: 0.3

vendor:mandrivamodel:linux mandrakescope:eqversion:7.0

Trust: 0.3

vendor:mandrakesoftmodel:single network firewallscope:eqversion:7.2

Trust: 0.3

vendor:mandrakesoftmodel:corporate serverscope:eqversion:1.0.1

Trust: 0.3

vendor:hpmodel:secure os software for linuxscope:eqversion:1.0

Trust: 0.3

vendor:calderamodel:openlinux workstationscope:eqversion:3.1.1

Trust: 0.3

vendor:calderamodel:openlinux workstationscope:eqversion:3.1

Trust: 0.3

vendor:calderamodel:openlinux serverscope:eqversion:3.1.1

Trust: 0.3

vendor:calderamodel:openlinux serverscope:eqversion:3.1

Trust: 0.3

sources: CERT/CC: VU#405955 // BID: 5344 // JVNDB: JVNDB-2002-000170 // CNNVD: CNNVD-200208-115 // NVD: CVE-2002-0638

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2002-0638
value: MEDIUM

Trust: 1.0

CARNEGIE MELLON: VU#405955
value: 10.97

Trust: 0.8

NVD: CVE-2002-0638
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200208-115
value: MEDIUM

Trust: 0.6

VULHUB: VHN-5029
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2002-0638
severity: MEDIUM
baseScore: 6.2
vectorString: AV:L/AC:H/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 1.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-5029
severity: MEDIUM
baseScore: 6.2
vectorString: AV:L/AC:H/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 1.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#405955 // VULHUB: VHN-5029 // JVNDB: JVNDB-2002-000170 // CNNVD: CNNVD-200208-115 // NVD: CVE-2002-0638

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2002-0638

THREAT TYPE

local

Trust: 0.9

sources: BID: 5344 // CNNVD: CNNVD-200208-115

TYPE

competitive condition

Trust: 0.6

sources: CNNVD: CNNVD-200208-115

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2002-000170

PATCH
title:RHSA-2002:132url:http://rhn.redhat.com/errata/RHSA-2002-132.html
Trust: 0.8
title:Sun Cobalt RaQ 3 Patchesurl:http://sunsolve.sun.com/patches/cobalt/raq3.eng.html
Trust: 0.8
title:Sun Cobalt RaQ 4 Patchesurl:http://sunsolve.sun.com/patches/cobalt/raq4.eng.html
Trust: 0.8
title:RHSA-2002:132url:http://www.jp.redhat.com/support/errata/RHSA/RHSA-2002-132J.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2002-000170

EXTERNAL IDS
db:CERT/CCid:VU#405955
Trust: 3.3
db:BIDid:5344
Trust: 2.8
db:NVDid:CVE-2002-0638
Trust: 2.5
db:OSVDBid:5164
Trust: 1.7
db:XFid:9709
Trust: 1.4
db:JVNDBid:JVNDB-2002-000170
Trust: 0.8
db:CNNVDid:CNNVD-200208-115
Trust: 0.7
db:REDHATid:RHSA-2002:132
Trust: 0.6
db:REDHATid:RHSA-2002:137
Trust: 0.6
db:CONECTIVAid:CLA-2002:523
Trust: 0.6
db:MANDRAKEid:MDKSA-2002:047
Trust: 0.6
db:CALDERAid:CSSA-2002-043.0
Trust: 0.6
db:BUGTRAQid:20020729 RAZOR ADVISORY: LINUX UTIL-LINUX CHFN LOCAL ROOT VULNERABILITY
Trust: 0.6
db:BUGTRAQid:20020730 TSLSA-2002-0064 - UTIL-LINUX
Trust: 0.6
db:HPid:HPSBTL0207-054
Trust: 0.6
db:VULNWATCHid:20020729 [VULNWATCH] RAZOR ADVISORY: LINUX UTIL-LINUX CHFN LOCAL ROOT VULNERABILITY
Trust: 0.6
db:VULHUBid:VHN-5029
Trust: 0.1
sources:
            
            
            CERT/CC: VU#405955 // 
            
            
            
            VULHUB: VHN-5029 // 
            
            
            
            BID: 5344 // 
            
            
            
            JVNDB: JVNDB-2002-000170 // 
            
            
            
            CNNVD: CNNVD-200208-115 // 
            
            
            
            NVD: CVE-2002-0638

REFERENCES
url:http://www.securityfocus.com/bid/5344
Trust: 2.5
url:http://www.kb.cert.org/vuls/id/405955
Trust: 2.5
url:http://archives.neohapsis.com/archives/bugtraq/2002-07/0396.html
Trust: 1.7
url:ftp://ftp.caldera.com/pub/security/openlinux/cssa-2002-043.0.txt
Trust: 1.7
url:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000523
Trust: 1.7
url:http://online.securityfocus.com/advisories/4320
Trust: 1.7
url:http://www.linux-mandrake.com/en/security/2002/mdksa-2002-047.php
Trust: 1.7
url:http://www.osvdb.org/5164
Trust: 1.7
url:http://rhn.redhat.com/errata/rhsa-2002-132.html
Trust: 1.7
url:http://www.redhat.com/support/errata/rhsa-2002-137.html
Trust: 1.7
url:http://archives.neohapsis.com/archives/bugtraq/2002-07/0357.html
Trust: 1.7
url:http://www.iss.net/security_center/static/9709.php
Trust: 1.7
url:http://marc.info/?l=bugtraq&m=102795787713996&w=2
Trust: 1.1
url:about vulnerability notes
Trust: 0.8
url:contact us about this vulnerability
Trust: 0.8
url:provide a vendor statement
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2002-0638
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/9709
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2002-0638
Trust: 0.8
url:http://marc.theaimsgroup.com/?l=bugtraq&m=102795787713996&w=2
Trust: 0.6
sources:
            
            
            CERT/CC: VU#405955 // 
            
            
            
            VULHUB: VHN-5029 // 
            
            
            
            JVNDB: JVNDB-2002-000170 // 
            
            
            
            CNNVD: CNNVD-200208-115 // 
            
            
            
            NVD: CVE-2002-0638

CREDITS
Michal Zalewski※ lcamtuf@echelon.pl
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200208-115

SOURCES
db:CERT/CCid:VU#405955
db:VULHUBid:VHN-5029
db:BIDid:5344
db:JVNDBid:JVNDB-2002-000170
db:CNNVDid:CNNVD-200208-115
db:NVDid:CVE-2002-0638

LAST UPDATE DATE
2024-08-14T15:15:11.146000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#405955date:2003-05-30T00:00:00
db:VULHUBid:VHN-5029date:2016-10-18T00:00:00
db:BIDid:5344date:2002-07-29T00:00:00
db:JVNDBid:JVNDB-2002-000170date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200208-115date:2005-05-02T00:00:00
db:NVDid:CVE-2002-0638date:2016-10-18T02:20:54.640

SOURCES RELEASE DATE
db:CERT/CCid:VU#405955date:2002-07-29T00:00:00
db:VULHUBid:VHN-5029date:2002-08-12T00:00:00
db:BIDid:5344date:2002-07-29T00:00:00
db:JVNDBid:JVNDB-2002-000170date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200208-115date:2002-07-29T00:00:00
db:NVDid:CVE-2002-0638date:2002-08-12T04:00:00