Executive Summary
Summary | |
---|---|
Title | fsh symlink attack |
Informations | |||
---|---|---|---|
Name | DSA-002 | First vendor Publication | 2000-11-30 |
Vendor | Debian | Last vendor Modification | 2000-11-30 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 4.6 | Attack Range | Local |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Colin Phipps found an interesting symlink attack problem in fsh (a tool to quickly run remote commands over rsh/ssh/lsh). When fshd starts it creates a directory in /tmp to hold its sockets. It tries to do that securely by checking of it can chown that directory if it already exists to check if it is owner by the user invoking it. However an attacker can circumvent this check by inserting a symlink to a file that is owner by the user who runs fhsd and replacing that with a directory just before fshd creates the socket. This has been fixed in version 1.0.post.1-3potato. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 2.2 alias potato |
Original Source
Url : http://www.debian.org/security/2000/dsa-002 |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Os | 2 |
OpenVAS Exploits
Date | Description |
---|---|
2008-01-17 | Name : Debian Security Advisory DSA 002-1 (fsh) File : nvt/deb_002_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
7208 | Debian fshd Symlink Arbitrary Command Execution fshd contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an attacker creates a symbolic link to a file owned by the user running fshd. Standard unix commands can be used to exploit this issue. This flaw may lead to a loss of Confidentiality, Integrity and/or Availability. |