Vigil@nce: acpid, altering a file
December 2009 by Vigil@nce
The acpid daemon creates its log file with a mode allowing a local
attacker to read or modify it.
– Severity: 1/4
– Consequences: data creation/edition
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 21/12/2009
IMPACTED PRODUCTS
– Debian Linux
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The acpid (Advanced Configuration and Power Interface) daemon logs
its events in the /var/log/acpid file.
To create this file, it uses (simplified):
open(logfile, O_CREAT);
However, the creation mode is not defined:
open(logfile, O_CREAT, 0610);
The open() system call thus uses the current value on the stack as
mode. This value is random. The file can thus be readable or
writable by all users.
A local attacker can therefore read or modify the log file. If the
file is created suid/sgid, the attacker may elevate his privileges.
CHARACTERISTICS
– Identifiers: 515062, 542926, BID-37249, CVE-2009-4033,
CVE-2009-4235, DSA 1960-1, RHSA-2009:1642-02, VIGILANCE-VUL-9305
– Url: http://vigilance.fr/vulnerability/acpid-altering-a-file-9305