Vigil@nce - glibc: privilege escalation via pt_chown
September 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use the pt_chown program provided with the glibc,
in order to change permissions of a pseudo-terminal.
Impacted products: Fedora, Unix (platform)
Severity: 2/4
Creation date: 23/08/2013
DESCRIPTION OF THE VULNERABILITY
The grantpt() function of the glibc changes permissions of a slave
pseudo-terminal.
This function calls the suid /usr/lib/pt_chown program which
performs the permission change.
However, pt_chown does not check if the user is the owner of the
pseudo-terminal descriptor. When FUSE is enabled, with
"user_allow_other", then a local attacker can change permissions
of pseudo-terminals of active users.
An attacker can therefore use the pt_chown program provided with
the glibc, in order to change permissions of a pseudo-terminal.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/glibc-privilege-escalation-via-pt-chown-13311