getty_ps /tmp File Race Condition Vulnerability

getty_ps is an open source, freely available, publicly maintained software package shipped with many distributions of Linux. It is designed to handle logins to the console and terminal.

A problem in the getty_ps software package could make it vulnerable to a symbolic link attack. The problem occurs in the creation and handling of files in the /tmp directory by the getty_ps program. Under certain circumstances, getty_ps will create files in the /tmp filesystem in an insecure manner. The program uses a naming scheme that could make it possible to guess the filename of future files in the /tmp directory, and does not check for the existance of the file before attempting to create it. It is possible to create a range of symbolic links with forecasted filenames, and link them to files that are write-accessible by the UID of the getty_ps process, which is normally run as root. A malicious user could use this vulnerability to overwrite or append to and corrupt system files.


Privacy Statement
Copyright 2010, SecurityFocus