header-logo
Suggest Exploit
vendor:
mgetty
by:
SecurityFocus
7,2
CVSS
HIGH
Symbolic Link Following
22
CWE
Product Name: mgetty
Affected Version From: mgetty 1.1.20
Affected Version To: mgetty 1.1.25
Patch Exists: YES
Related CWE: CVE-2002-0392
CPE: o:mgetty:mgetty
Metasploit: https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2002-0392/https://www.rapid7.com/db/vulnerabilities/http-apache2-chunked-transfer-int-bof/https://www.rapid7.com/db/vulnerabilities/apache-httpd-1_3_x-apache-chunked-encoding-vulnerability-cve-2002-0392/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux, OpenBSD, FreeBSD
2002

Symbolic Link Following

By exploiting a flaw in the faxrunq and faxrunqd programs, it is possible for local users to create arbitrary files, and alter arbitrary files on the filesystem. This can be done by creating a symbolic link named .last_run in /var/spool/fax/outgoing, and running the faxrunqd or faxrunq program.

Mitigation:

Upgrade to the latest version of mgetty.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1612/info

A vulnerability exists in a portion of the mgetty package, by Gert Doering. By exploiting a flaw in the faxrunq and faxrunqd programs, it is possible for local users to create arbitrary files, and alter arbitrary files on the filesystem. This in turn can lead to local root compromise.

The faxrunq and faxrunqd programs will follow symbolic links. By creating a symbolic link named .last_run in /var/spool/fax/outgoing, and running the faxrunqd or faxrunq program, arbitrary files can be created. Existing files will have their contents overwritten.

mgetty is a popular getty replacement package that supports fax receipt and transmission. It runs on a wide range of systems, and is distributed with a number of popular Linux distributions. It is also part of the OpenBSD and FreeBSD ports packages. It is not, however, installed by default on either system.

mgetty is marked BROKEN in the OpenBSD ports package because of this problem and users are not able to install it.

ln -s /TEST /var/spoo/fax/outgoing/.lastrun
faxrunqd -l ttyS0

Navigation

Suggest Exploit

Services By CQR