CVE-2004-0058

Vulnerability

Antivir / Linux version 2.0.9-9 (and possibly earlier) creates a temporary file at /tmp/.pid_antivir_$$ on startup, where $$ is the process ID. The file is created with read/write permissions for the superuser only, but the PID is predictable within a range of approximately 1000–2000. The file persists until the system reboots. This design flaw allows a local attacker to exploit a symlink race condition [1].

Exploitation

An attacker with local shell access can guess the PID of the Antivir process (typically between 1000 and 2000) and create a symbolic link with the guessed name (e.g., /tmp/.pid_antivir_1204) pointing to an arbitrary target file on the system. When the system is rebooted (or when Antivir restarts), the process creates the temporary file, which follows the symlink and overwrites the target. The attacker may need to repeat the attempt if the PID is not exactly guessed, but the range is narrow enough to succeed within one or two reboots [1].

Impact

Successful exploitation allows a local user to overwrite any file on the system that the Antivir process (running as root) can write to. This can lead to denial of service (e.g., overwriting /etc/nologin to prevent logins) or privilege escalation by overwriting critical system files. The attacker gains the ability to corrupt system integrity or disrupt operations [1].

Mitigation

No fixed version is disclosed in the available references. The vendor did not release a patch for this issue. As a workaround, the application should use the unlink() system call before creating the temporary file to remove any existing symlink, as suggested in the advisory. Given the age of the software (2004), it is likely end-of-life and no longer supported. Users should consider migrating to a maintained alternative [1].