arpwatch /tmp File Race Condition Vulnerability

arpwatch is a program designed as part of the tcpdump package. It is distributed with numerous UNIX variants, and freely available. Immunix is a hardened Linux distribution maintained by the Immunix group at WireX Corporation.

A vulnerability exists in arpwatch that could allow a user to perform a symbolic link attack. When executed, the arpwatch program creates files in the /tmp directory under certain conditions. These files, however, are not created in a secure manner, and not stat()'d when the program executes and attempts to create these files. It is possible to guess the handle of these files, and create them in advance as symbolic links to programs that are writable by the user executing arpwatch. The user executing arpwatch would then overwrite the linked files, or append content to them, thus corrupting the file. This makes it possible for a user with malicious motives to overwrite or append to files owned by the user of arpwatch, the typical user of arpwatch being root.


Privacy Statement
Copyright 2010, SecurityFocus