CVE-2000-0107

Vulnerability

The apcd program, as shipped in Debian GNU/Linux 2.1, is vulnerable to a symlink attack. The apcd process creates a file named upsstat in /tmp to store APC device status information. This file is not opened securely, allowing a local attacker to replace it with a symbolic link to an arbitrary file on the filesystem.

Exploitation

A local attacker can exploit this vulnerability by creating a symbolic link named upsstat in /tmp that points to a sensitive file, such as /.rhosts. The attacker then needs to trigger the apcd process to send a SIGUSR1 signal, causing it to create the upsstat file. Once the symlink is in place and the signal is sent, the attacker can manipulate the target file. For example, by creating a symlink to /.rhosts and then adding + + to it, an attacker can gain root access via rsh [1].

Impact

Successful exploitation allows a local attacker to modify arbitrary files on the system. By targeting sensitive configuration files like /.rhosts, an attacker can escalate their privileges to root, leading to a full system compromise [1].

Mitigation

This vulnerability affects apcd in Debian GNU/Linux 2.1. A patched version is available. Users should upgrade to a fixed version of the apcd package. No specific workaround is mentioned in the available references, other than upgrading the package [1].