Vigil@nce - RPM: no reset of file privileges
July 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When the rpm command updates a package, suid/sgid bits and POSIX
capabilities are not reset on files cloned by a hard link.
Severity: 2/4
Creation date: 07/07/2010
DESCRIPTION OF THE VULNERABILITY
The "ln" command can create "hard links", in order to define a new
access path for a file. A local user can thus create "clones" of
files belonging to another user. If the source file is suid, the
clone is also suid. If the source file is deleted, the clone keeps
its suid bit.
When the rpm package manager updates a package containing a
suid/sgid file, the clone keeps its suid/sgid bit. [severity:2/4;
598775, CVE-2010-2059]
When the rpm package manager updates a package containing POSIX
capabilities, the clone keeps its capabilities. [severity:2/4;
601955, CVE-2010-2198]
When the rpm command updates a package, suid/sgid bits and POSIX
capabilities are therefore not reset on files cloned by a hard
link.
A local attacker can therefore continue to use a vulnerability of
a suid program, even if its package was updated via rpm.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/RPM-no-reset-of-file-privileges-9743