Vigil@nce: xfs, file creation
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can use a symbolic link in order to force the xfs
startup script to create a file.
Gravity: 1/4
Consequences: data creation/edition
Provenance: user shell
Means of attack: 1 proof of concept
Ability of attacker: specialist (3/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 25/03/2009
IMPACTED PRODUCTS
– Debian Linux
– OpenSUSE
– Red Hat Enterprise Linux
– SuSE Linux
DESCRIPTION OF THE VULNERABILITY
The xfs (X Font Server) service is used to provide character
fonts. It is started by /etc/init.d/xfs.
The /etc/init.d/xfs script creates the /tmp/.font-unix directory
to store sockets. If the /tmp/.font-unix file exists, xfs renames
it to ".font-unix.$$". However, no check is done to ensure there
is no symbolic link. If a local attacker creates a symbolic link
from /tmp/.font-unix.$$ to a directory, the ".font-unix" file is
moved to this directory with root privileges.
A local attacker can therefore use a symbolic link in order to
force the xfs startup script to create a file named ".font-unix"
in any directory.
CHARACTERISTICS
Identifiers: 299560, 408006, 492098, 521107, VIGILANCE-VUL-8560