systemd create or overwrite arbitrary files

2014.04.21
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-59


CVSS Base Score: 6.3/10
Impact Subscore: 9.2/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Complete
Availability impact: Complete

The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/. diff --git a/src/login/logind-session.c b/src/login/logind-session.c index e78af02..bb802e5 100644 --- a/src/login/logind-session.c +++ b/src/login/logind-session.c @@ -376,15 +376,13 @@ static int session_link_x11_socket(Session *s) { return -ENOENT; } - t = strappend(s->user->runtime_path, "/X11/display"); + t = strappend(s->user->runtime_path, "/X11-display"); if (!t) { log_error("Out of memory"); free(f); return -ENOMEM; } - mkdir_parents(t, 0755); - if (link(f, t) < 0) { if (errno == EEXIST) { unlink(t); @@ -637,7 +635,7 @@ static int session_unlink_x11_socket(Session *s) { s->user->display = NULL; - t = strappend(s->user->runtime_path, "/X11/display"); + t = strappend(s->user->runtime_path, "/X11-display"); if (!t) { log_error("Out of memory"); return -ENOMEM;


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top