• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Multiple Vendor CDE ToolTalk Database Server Symbolic Link Vulnerability

CDE ships with a daemon called the ToolTalk database server. The ToolTalk database server allows for programs designed for use in CDE to communicate with each other. It is enabled by default on most systems shipped with CDE.

The ToolTalk database server is vulnerable to a symbolic link vulnerability that is exploitable by attackers with access to the filesystem.

The server logs transactions to logfiles with filenames based on the name of the ToolTalk database supplied by the client. When writing to the logfile, the server does not check to ensure that it is not a symbolic link. If an attacker creates a symbolic link on the filesystem with the path/filename of the logfile, transaction data will be written to the destination file as root.

Exploitation of this vulnerability may result in a denial of service if sensitive files are corrupted. As client-supplied data is written to the file, it may also be possible for this vulnerability to be exploited to elevate privileges.