CVE-1999-1352

Vulnerability

The mknod(2) system call in Linux kernel version 2.2 (specifically 2.2.x prior to 2.2.12-ow6) follows dangling symbolic links during device node creation. This behavior differs from earlier 2.0.x kernels, which do not follow symlinks for mknod or bind syscalls. The vulnerability exists because the kernel's path resolution for mknod does not check for symbolic links, allowing an attacker to create a device node that points to an arbitrary file or device.

Exploitation

An attacker needs local access to the system with the ability to mknod (requires appropriate privileges or a setuid binary). The attacker creates a symbolic link pointing to a target file (e.g., a critical system file or a device) and then invokes mknod on the symlink path. Since the kernel follows the symlink, the device node is created under the attacker's control, potentially overwriting the target. The exploit requires a race condition or pre-created symlink to succeed [1].

Impact

Successful exploitation allows a local attacker to overwrite arbitrary files on the system, including those owned by root, by creating a device node that points to the target. This can lead to privilege escalation (e.g., overwriting /etc/passwd or a setuid binary) or denial of service. The attacker gains the ability to write to any file that the kernel can access via the device node, effectively bypassing file permission checks.

Mitigation

A fix was implemented in Linux kernel version 2.2.12-ow6, which modified the mknod(2) and bind(2) syscalls to not follow dangling symlinks. Users should upgrade to a kernel version including this patch or later. No workaround is available unless access to mknod is restricted via LSM or capability controls.