|
COMMAND apmd SYSTEMS AFFECTED Red Hat 7.2 \"Enigma\" with installed apmd-3.0final-34 package previous Red Hat distributions are not affected because vulnerability was introduced by a script being not in the official apmd package, most other GNU/Linux distributions are not affected PROBLEM Enrico Scholz reported following : /etc/sysconfig/apm-scripts/apmscript executes the line | touch /tmp/LOW_POWER when - the APM system signals a low-battery state and - if $LOWPOWER_SERVICES is not empty (it defaults to \"atd crond\") Because the apmscript is executed as the superuser, some kinds of symlink attacks are possible. Vulnerability is exploitable on a small amount of systems because the APM low-battery state is signaled on laptops or special machines only. Because the content of the touch\'ed file will not be modified it seems to be hard to gain additional privileges. But DoS attacks are possible. Proof of concept ---------------- [otheruser@bar]$ ssh foo [otheruser@foo]$ exit [joeuser@foo]$ ln -s /etc/nologin /tmp/LOW_POWER ...[provoke low-battery state; e.g. cut powerline and wait some time] ... [otheruser@bar]$ ssh foo Connection to foo closed. [otheruser@bar]$ SOLUTION No official solution yet. Workaround ========== Remove line in apmscript file.