COMMAND

	apmd

SYSTEMS AFFECTED

	 Red Hat 7.2 \"Enigma\" with installed apmd-3.0final-34 package

	 previous Red Hat distributions are not affected

	 because vulnerability was introduced by a script being not in the official apmd package, most other GNU/Linux distributions are not affected

	

PROBLEM

	Enrico Scholz reported following :
	

	/etc/sysconfig/apm-scripts/apmscript executes the line
	

	|    touch /tmp/LOW_POWER

	

	

	when
	 - the APM system signals a low-battery state and

	 - if $LOWPOWER_SERVICES is not empty (it defaults to \"atd crond\")

	

	Because the apmscript is  executed  as  the  superuser,  some  kinds  of
	symlink attacks are possible.
	

	Vulnerability is exploitable on a small amount of  systems  because  the
	APM low-battery state is signaled on laptops or special machines only.
	

	Because the content of the touch\'ed file will not be modified it  seems
	to be hard to gain additional privileges. But DoS attacks are possible.
	

	 Proof of concept

	 ----------------

	

	

	[otheruser@bar]$ ssh foo

	[otheruser@foo]$ exit

	

	[joeuser@foo]$ ln -s /etc/nologin /tmp/LOW_POWER

	 ...[provoke low-battery state; e.g. cut powerline and wait some time] ...

	

	[otheruser@bar]$ ssh foo

	Connection to foo closed.

	[otheruser@bar]$

	

	

SOLUTION

	No official solution yet.
	

	 Workaround 

	 ==========

	

	Remove line in apmscript file.