Brief Description: An exploitable race condition exists in the mkdir(1) code, which allows a user to change the ownership of any file.
Detailed Description: mkdir creates directories by calling mknod(2), which creates the directory, and chown(2), which changes the ownership of the newly-created directory from root to the real UID. The gap between the two system calls creates a race condition in which one can delete the newly-created directory and make a hard link to any file. The chown then changes the ownership of that file.
Component(s): mkdir, mknod, chown
Version(s): All versions
Operating System(s): UNIX version 7
Other Information: You need access to a user account.
Effects:You can change the ownership of any file on a file system on which you can create a file.
Detecting the Vulnerability:
* Compare versions with those listed in "Vulnerable Systems." If it matches any of those, you are vulnerable.
* Check your mkdir executable for the two system calls. If it has them, you are probably vulnerable.
Fixing the Vulnerability:
* Upgrade to a newer version. You need to be sure your newer version works on UNIX version 7, because that system does not have the mkdir(2) system call.
* This requires kernel hacking. Create the mkdir system call.
* If you have critical section primitives, make the entry point of a critical section occur before the mknod<syscall> and end after the <syscall>chown. That way, the process grabs the system and does not release it until the directory is created and owned by the real UID.
Keywords:race condition, mkdir,chown,mknod
Attack Methods or Tools: Not provided.
Advisories and Other Alerts: None.
Related Vulnerabilities: Andrew S. Tanenbaum, Operating Systems Design and Implementation, Prentice-Hall, Inc. (1987).
First Report We Know Of: by unknown
Revisions of Database Record
1. Omar Vanegas(July 27, 1998): Entered into DOVES.
2. Mike Dilger(original): Entered into original database.