Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.2
CVSSv2

CVE-2008-5394

Published: 09/12/2008 Updated: 11/10/2018
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
VMScore: 725
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Debian

Vulnerability Summary

/bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry.

Vulnerable Product Search on Vulmon Subscribe to Product

debian shadow 4.0.18.1

Vendor Advisories

Debian CVElist Bug Report Logs: symlink attack in login leading to arbitrary file ownership
Debian Bug report logs - #505271 symlink attack in login leading to arbitrary file ownership Package: login; Maintainer for login is Shadow package maintainers <pkg-shadow-devel@listsaliothdebianorg>; Source for login is src:shadow (PTS, buildd, popcon) Reported by: Paul Szabo <psz@mathsusydeduau> Date: Sun, 9 ...
Ubuntu Security Notice: shadow vulnerability
Paul Szabo discovered a race condition in login While setting up tty permissions, login did not correctly handle symlinks If a local attacker were able to gain control of the system utmp file, they could cause login to change the ownership and permissions on arbitrary files, leading to a root privilege escalation ...
Debian Security Advisories: DSA-1709-1 shadow -- race condition
Paul Szabo discovered that login, the system login tool, did not correctly handle symlinks while setting up tty permissions If a local attacker were able to gain control of the system utmp file, they could cause login to change the ownership and permissions on arbitrary files, leading to a root privilege escalation For the stable distribution (et ...

Exploits

Exploit DB: Debian - Symlink In Login Arbitrary File Ownership
#!/bin/bash - echo ' #include <stringh> #include <stdlibh> #include <unistdh> #include <utmph> #include <sys/typesh> #include <stdioh> int main(int argc, char *argv[]) { struct utmp entry; int i; entryut_type=LOGIN_PROCESS; strcpy(entryut_line,"/tmp/x"); entryut_time=0; strcp ...

References

CWE-59http://bugs.debian.org/332198http://bugs.debian.org/505071http://bugs.debian.org/505271http://www.securityfocus.com/bid/32552http://www.ubuntu.com/usn/usn-695-1http://securityreason.com/securityalert/4695http://security.gentoo.org/glsa/glsa-200903-24.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2009:062http://osvdb.org/52200https://exchange.xforce.ibmcloud.com/vulnerabilities/47037https://www.exploit-db.com/exploits/7313http://www.securityfocus.com/archive/1/498769/100/0/threadedhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505271https://usn.ubuntu.com/695-1/https://nvd.nist.govhttps://www.exploit-db.com/exploits/7313/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-32886insecure direct object referenceCVE-2024-34342file inclusionCVE-2024-34562CVE-2024-34347CVE-2024-26026CVE-2024-4647unprivileged
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook