Vigil@nce: GDM, privilege elevation via cache clean
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the cache cleaning feature of GDM, in
order to become the owner of a file, which allows him to gain root
privileges.
– Severity: 2/4
– Creation date: 29/03/2011
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– OpenSUSE
– Red Hat Enterprise Linux
– SUSE Linux Enterprise Server
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The GNOME Display Manager uses a cache (/var/cache/gdm/$USER)
since version 2.28.0, in order to store copies of dmrc and images
files.
When the user logouts, GDM copies (with root privileges) user’s
files in this cache. Then, it changes the owner/group of these
files, so they belong to the user.
However, as the user owns the cache directory, he can replace a
file by a symbolic link to a system file. GDM then changes the
owner of the file pointed by the link. The attacker can then edit
the system file.
A local attacker can therefore use the cache cleaning feature of
GDM, in order to become the owner of a file, which allows him to
gain root privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/GDM-privilege-elevation-via-cache-clean-10501