SYNTHESIS

A local attacker can create a sgid file in order to obtain
privileges of a group.

Gravity : 2/4

Consequences : privileged access/rights

Provenance : user shell

Means of attack : no proof of concept, no attack

Ability of attacker : expert (4/4)

Confidence : confirmed by the editor (5/5)

Diffusion of the vulnerable configuration : high (3/3)

Creation date : 03/10/2008

IMPACTED PRODUCTS

– Linux kernel

DESCRIPTION

Each file/directory has a owner and a group. The sgid bit (octal
02000) has the following meaning :

– on a file : when the file is executed, the process has the
privileges of the group of the file (instead of the group of
the user executing the file)

– on a directory : when a file is created in this directory, its
group is the group of the directory (instead of the group of
the user creating the file) (compatible BSD semantic)

The open() and creat() functions have a parameter to indicate the
requested mode when a file is created. A local attacker can
therefore create a file with the sgid bit in a directory which
also has this bit. The file then has the group of the directory
and the sgid bit. The attacker can then use the splice() function
to convert this program to a binary file (he cannot use write()
because this function removes the sgid bit).

A local attacker can therefore create a sgid program in order to
obtain the privileges of the group. To exploit this vulnerability,
a sgid directory has to exist on the system.

CHARACTERISTICS

Identifiers : 464450, BID-31567, CVE-2008-3833, VIGILANCE-VUL-8143

http://vigilance.aql.fr/vulnerability/8143