CVE-2011-2473

2011-06-0900:00:00

ubuntu.com

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS

Percentile

0.4%

JSON

The do_dump_data function in utils/opcontrol in OProfile 0.9.6 and earlier
might allow local users to create or overwrite arbitrary files via a
crafted --session-dir argument in conjunction with a symlink attack on the
opd_pipe file, a different vulnerability than CVE-2011-1760.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624212>

Notes

Author	Note
jdstrand	this attack requires that the user is using a --session-dir that is under the attacker’s control. --session-dir defaults to /var/lib/oprofile so this is not a problem in the default configuration. Proper use of --init will setup the session dir with correct permissions, and this is needed to use a different session dir anyway. The vulnerability comes in if the session dir’s permissions change after using --init or are created in another user’s directory that is under the attacker’s control. While it would be good to try to defend against this, the checks would be racy and the vulnerability is somewhat contrived to begin with. Upstream has not patched this as of 2011-07-07.

Author

Note

jdstrand

this attack requires that the user is using a --session-dir that is under the attacker’s control. --session-dir defaults to /var/lib/oprofile so this is not a problem in the default configuration. Proper use of --init will setup the session dir with correct permissions, and this is needed to use a different session dir anyway. The vulnerability comes in if the session dir’s permissions change after using --init or are created in another user’s directory that is under the attacker’s control. While it would be good to try to defend against this, the checks would be racy and the vulnerability is somewhat contrived to begin with. Upstream has not patched this as of 2011-07-07.