Vigil@nce: RHEL, privilege elevation via sblim
June 2008 by Vigil@nce
A local attacker can create a malicious library in order to
execute code with rights of applications using SBLIM.
– Gravity: 2/4
– Consequences: administrator access/rights
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 24/06/2008
– Identifier: VIGILANCE-VUL-7907
IMPACTED PRODUCTS
Red Hat Enterprise Linux [confidential versions]
DESCRIPTION
The sblim package implements SBLIM (Standards-Based Linux
Instrumentation for Manageability) used by WBEM management
applications such as tog-pegasus.
The RPATH of an executable indicates in which directories to look
for additional libraries.
Some sblim libraries have a RPATH containing the
"/var/tmp/sblim-version-release-root-brewbuilder/usr/lib"
directory. As the /var/tmp directory is world writable, a local
attacker can create the "sblim-version..." directory containing a
malicious library (such as libc.so), in order to execute code with
rights of sblim applications.
A local attacker can therefore wait for the administrator to use
tog-pegasus in order to have his malicious code run with root
privileges.
CHARACTERISTICS
– Identifiers: 447705, BID-29913, CVE-2008-1951, RHSA-2008:0497-01,
VIGILANCE-VUL-7907
– Url: https://vigilance.aql.fr/tree/1/7907