Redhat/CentOS root through network-scripts

Related Vulnerabilities:

            Hi there,

Just found an issue in Redhat/CentOS which according to RedHat security team is not an issue. I don't know, sounds 
weird to me.

If, for whatever reason, a user is able to write an ifcf-<whatever> script to /etc/sysconfig/network-scripts or it can 
adjust an existing one, then your system in pwned.

Network scripts, ifcg-eth0 for example are used for network connections. The look exactly like .INI files. However, 
they are ~sourced~ on Linux by Network Manager (dispatcher.d).

In my case, the NAME= attributed in these network scripts is not handled correctly. If you have white/blank space in 
the name the system tries to execute the part after the white/blank space. Which means; everything after the first 
blank space is executed as root.

For example:


NAME=Network /bin/id  <= Note the blank space

Yes, any script in that folder is executed by root because of the sourcing technique. Ex: . 
Me as a developer, I don't really get why you want to do it like this. Its just <~>

So, if a use manage to get his hands on any of these files your box is gone. Protect them with your life.

Sent through the Full Disclosure mailing list
<a rel="nofollow" href=""></a>
Web Archives &amp; RSS: <a rel="nofollow" href=""></a>