CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
0.4%
The do_dump_data function in utils/opcontrol in OProfile 0.9.6 and earlier
might allow local users to create or overwrite arbitrary files via a
crafted --session-dir argument in conjunction with a symlink attack on the
opd_pipe file, a different vulnerability than CVE-2011-1760.
Author | Note |
---|---|
jdstrand | this attack requires that the user is using a --session-dir that is under the attacker’s control. --session-dir defaults to /var/lib/oprofile so this is not a problem in the default configuration. Proper use of --init will setup the session dir with correct permissions, and this is needed to use a different session dir anyway. The vulnerability comes in if the session dir’s permissions change after using --init or are created in another user’s directory that is under the attacker’s control. While it would be good to try to defend against this, the checks would be racy and the vulnerability is somewhat contrived to begin with. Upstream has not patched this as of 2011-07-07. |