CVE-2010-0832

pam_motd (aka the MOTD module) in libpam-modules before 1.1.0-2ubuntu1.1 in PAM on Ubuntu 9.10 and libpam-modules before 1.1.1-2ubuntu5 in PAM on Ubuntu 10.04 LTS allows local users to change the ownership of arbitrary files via a symlink attack on .cache in a users home directory, related to user file stamps and the motd.legal-notice file.

Weakness

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Software

Potential Mitigations

• Follow the principle of least privilege when assigning access rights to entities in a software system.
• Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/132.html
• https://cwe.mitre.org/data/definitions/17.html
• https://cwe.mitre.org/data/definitions/35.html
• https://cwe.mitre.org/data/definitions/76.html

References

• http://secunia.com/advisories/40512
• http://twitter.com/jonoberheide/statuses/18009527979
• http://www.exploit-db.com/exploits/14273
• http://www.h-online.com/security/news/item/Ubuntu-closes-root-hole-1034618.html
• http://www.osvdb.org/66116
• http://www.securityfocus.com/bid/41465
• http://www.ubuntu.com/usn/USN-959-1
• http://www.vupen.com/english/advisories/2010/1747
• https://exchange.xforce.ibmcloud.com/vulnerabilities/60194
• http://secunia.com/advisories/40512
• http://twitter.com/jonoberheide/statuses/18009527979
• http://www.exploit-db.com/exploits/14273
• http://www.h-online.com/security/news/item/Ubuntu-closes-root-hole-1034618.html
• http://www.osvdb.org/66116
• http://www.securityfocus.com/bid/41465
• http://www.ubuntu.com/usn/USN-959-1
• http://www.vupen.com/english/advisories/2010/1747
• https://exchange.xforce.ibmcloud.com/vulnerabilities/60194