• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Shadow-Utils 'useradd' Local Insecure Permissions Vulnerability

The 'useradd' utility in shadow-utils is prone to a local insecure-permissions vulnerability. This issue is due to a race-condition between when user mailboxes are created and when permissions are set on the file.

A local, unprivileged attacker can exploit this issue to gain access to newly created mailbox files. This may allow them to directly inject forged email messages to aid them in social-engineering attacks. Attackers may also be able to inject data into the mailbox file that will cause mail applications to fail to access the file, denying email access to targeted users. Other attacks may also be possible.

This issue affects shadow-utils 4.0.3; other versions may also be affected.