header-logo
Suggest Exploit
vendor:
N/A
by:
SecurityFocus
2,1
CVSS
LOW
Symbolic Link Overwrite
N/A
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002

GDC Debug Output Overwrite Vulnerability

It is possible to write debug output from gdc to a file (/var/tmp/gdb_dump). Unfortunately, gdc follows symbolic links which can be created in tmp and will overwrite any file on the system thanks to it being setiud root. This does not cause any immediate compromises and is more of a denial of service attack since it does not change the permissions of the overwritten files (to say, world writeable or group writeable). Local users are required to be in group wheel (or equivelent) to execute gdc.

Mitigation:

Ensure that only trusted users are in the wheel group and that the gdc binary is not setuid root.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/835/info

It is possible to write debug ouput from gdc to a file (/var/tmp/gdb_dump). Unfortunately, gdc follows symbolic links which can be created in tmp and will overwrite any file on the system thanks to it being setiud root. This does not cause any immediate compromises and is more of a denial of service attack since it does not change the permissions of the overwritten files (to say, world writeable or group writeable). Local users are required to be in group wheel (or equivelent) to execute gdc.

ln -s /etc/master.passwd /var/tmp/gated_dump

And then wait for a priviliged user to run gdc dump.

Navigation

Suggest Exploit

Services By CQR