sting: Vulnerabilities Found

This page lists the bugs found by STING (in reverse chronological order, latest first), and links to further details where applicable.

21. Program: apachectl
Privilege escalation: * to root
Description: The apachectl Apache web server startup script allows any user to change the permissions of any directory to 0755 through a symbolic link attack on a lock directory.
Link: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1104049

20. Program: dbus-daemon
Privilege escalation: messagebus to root
Description: dbus-daemon allows UID messagebus to change the permissions of an arbitrary file owned by root to rwx through a race condition, and create a file with permissions of root through a symbolic link attack on the PID file.

19. Program: landscape
Privilege escalation: landscape to root
Description: Ubuntu's 11.10 landscape allows UID landscape to (1) create an arbitrary file as root, and (2) append arbitrary content to any root-owned file, through a link attack on the log file /var/log/landscape/sysinfo.log .

18. Program: Ubuntu startup script
Privilege escalation: * to root
Description: An SELinux startup script in Ubuntu allows arbitrary file creation as root through a symbolic link attack on a file.
Link: https://bugs.launchpad.net/ubuntu/+source/selinux/+bug/876994

17. Program: Ubuntu startup script
Privilege escalation: * to root
Description: The /etc/init.d/X11-unix startup script has two race conditions that allow changing permissions of files as the root user to rwx for all users. This was fixed (independently of us) by Ubuntu
Link: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661627

16. Program: Ubuntu startup script
Privilege escalation: avahi to root
Description: A startup script for avahi-daemon in Ubuntu allows UID avahi arbitrary file creation as root and writing data as root, through link attacks on a file with name derived from the PID.

15. Program: mysql
Privilege escalation: mysql to root
Description: MySQL allows UID mysql arbitrary file creation through a predictable filename derived from the hostname. This bug was also located by Chari et al. in their NDSS 2010 paper "Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation".

14. Program: mysql_upgrade
Privilege escalation: mysql to root
Description: A bug in mysql_upgrade in the handling of the file mysql_upgrade_info allows a symbolic link attack for UID mysql to truncate and write root-owned files.

13. Program: tomcat
Privilege escalation: tomcat6 to root
Description: Tomcat allow UID tomcat6 creation and changing permission of a root-owned file. This bug was also located by Chari et al. in their NDSS 2010 paper "Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation".

12. Program: accountsservice script
Privilege escalation: * to root
Description: The accountsservice package in Ubuntu, invoked from the LightDM display manager, allows any UID to append data to root-owned files by link attacks on a user's $HOME/.profile file.
Link: http://www.ubuntu.com/usn/usn-1351-1/

11. Program: bluetooth-applet
Privilege escalation: * to user
Description: bluetooth-applet has an untrusted search path vulnerability when launched in an untrusted directory through configuration files with a .ui extension.

10. Program: java
Privilege escalation: * to user
Description: java has an untrusted search path when launched in an untrusted directory through critical files hotspotrc and hotspot_compiler. This problem is known but unfixed.

9. Program: mountall
Privilege escalation: * to root
Description: mountall, when launched in an untrusted directory, resolves link relative names and stores them in /etc/mtab. This allows untrusted users to control values in the mtab file.

8. Program: zeitgeist-daemon
Privilege escalation: * to user
Description: zeitgeist-daemon insecurely creates files with a random name in a temporary directory, in sqlite handling code. Guessing this random name allows creation of a file with the permissions of the user running zeitgeist-daemon.

7. Program: colord
Privilege escalation: * to user
Description: colord has an untrusted search path vulnerability when launched in an untrusted directory through reading configuration files in a directory dll.d.

6. Program: mailutils
Privilege escalation: mail to root
Description: The mail program in mailutils allows privilege escalation from UIDs in group mail to root by controlling contents of the /var/mail/root file.

5. Program: bsd-mailx
Privilege escalation: mail to root
Description: The mail program in bsd-mailx allows privilege escalation from UIDs in group mail to root through symbolic link/hard link attacks on the file /var/mail/root and also by controlling contents of /var/mail/root.

4. Program: cupsd
Privilege escalation: lp to root
Description: A bug in cupsd allows UID lp to truncate root-owned files through link attacks on files in /var/cache. This bug was also located by Chari et al. in their NDSS 2010 paper "Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation".

3. Program: abrt-server
Privilege escalation: abrt to root
Description: abrt-server insecurely creates files with a random name in a temporary directory based on the current date and time. Guessing this random name allows UID abrt creation of a file with the permissions of the user running abrt-server.

2. Program: yum
Privilege escalation: sync to root
Description: yum insecurely creates files and allows UID yum to create files by guessing the name of a file derived from the current date.

1. Program: x2gostartagent
Privilege escalation: * to user
Description: An x2go script has an untrusted library search path due to an empty LD_LIBRARY_PATH.
Link: http://lists.berlios.de/pipermail/x2go-dev/2012-January/003162.html