Vulnerability Description

Brief Description: An exploitable race condition exists in the mkdir(1) code, which allows a user to change the ownership of any file.

Detailed Description: mkdir creates directories by calling mknod(2), which creates the directory, and chown(2), which changes the ownership of the newly-created directory from root to the real UID. The gap between the two system calls creates a race condition in which one can delete the newly-created directory and make a hard link to any file. The chown then changes the ownership of that file.

Component(s): mkdir, mknod, chown

Version(s): All versions

Operating System(s): UNIX version 7

Other Information: You need access to a user account.

Effects:You can change the ownership of any file on a file system on which you can create a file.

Detecting the Vulnerability:

* Compare versions with those listed in "Vulnerable Systems." If it matches any of those, you are vulnerable.

* Check your mkdir executable for the two system calls. If it has them, you are probably vulnerable.

Fixing the Vulnerability:

* Upgrade to a newer version. You need to be sure your newer version works on UNIX version 7, because that system does not have the mkdir(2) system call.

* This requires kernel hacking. Create the mkdir system call.

* If you have critical section primitives, make the entry point of a critical section occur before the mknod<syscall> and end after the <syscall>chown. That way, the process grabs the system and does not release it until the directory is created and owned by the real UID.

Cataloguing

Keywords:race condition, mkdir,chown,mknod

Exploiting

Attack Methods or Tools: Not provided.

Related Information

Advisories and Other Alerts: None.

Related Vulnerabilities: Andrew S. Tanenbaum, Operating Systems Design and Implementation, Prentice-Hall, Inc. (1987).

History

First Report We Know Of: by unknown

Revisions of Database Record

1. Omar Vanegas(July 27, 1998): Entered into DOVES.

2. Mike Dilger(original): Entered into original database.