发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:44:19

[原文]im-switch before 11.4-46.1 in Fedora Core 2 allows local users to overwrite arbitrary files via a symlink attack on the imswitcher[PID] temporary file.


        Fedora Core是RedHat发行的Linux系统。
        Fedora Core包含的Im-switch存在符号链接问题,本地攻击者可以利用这个漏洞破坏系统文件或进行权利提升。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  XF  fedora-imswitch-symlink(16682)
(PATCH)  BID  10717

- 漏洞信息

低危 访问验证错误
2004-12-31 00:00:00 2005-11-11 00:00:00
        Fedora Core是RedHat发行的Linux系统。
        Fedora Core包含的Im-switch存在符号链接问题,本地攻击者可以利用这个漏洞破坏系统文件或进行权利提升。

- 公告与补丁

        RedHat Fedora Core2:
        RedHat Upgrade im-sdk-11.4-46.1.svn1587.src.rpm

- 漏洞信息 (24278)

IM-Switch Insecure Temporary File Handling Symbolic Link Vulnerability (EDBID:24278)
linux local
2004-07-13 Verified
0 SEKINE Tatsuo
N/A [点击下载]

IM-Switch Insecure Temporary File Handling Symbolic Link VulnerabilityIt is reported that im-switch is prone to a local insecure temporary file handling symbolic link vulnerability. This issue is due to a design error that allows the application to insecurely write to a temporary file that is created with a predictable file name.

The im-switch utility will write to this temporary file before verifying its existence; this would facilitate a symbolic link attack.

An attacker may exploit this issue to corrupt arbitrary files. This corruption may potentially result in the elevation of privileges, or in a system wide denial of service. 

$ bash -c 'i=1;while [ $i -lt 65536 ]; do ln -s /etc/IMPORTANT_FILE
/tmp/imswitcher$i; let "i++"; done' 

- 漏洞信息

Fedora im-switch imswitcher[PID] Temporary File Symlink Arbitrary File Overwrite
Local Access Required Race Condition
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

Fedora contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the im-switch command uses a predictable filename in the /tmp directory which may allow an attacker to overwrite arbitrary files. This flaw may lead to a loss of integrity.

- 时间线

2004-06-29 Unknow
2004-06-29 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Red Hat has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者