CVE-2004-1895

Vulnerability

SuSE Linux 8.2 and 9.0 include YaST Online Update (YOU), accessible via the online_update command. When a user runs online_update -q or online_update -k, the program creates a temporary directory at /usr/tmp/you-$USER and writes files such as cookies, quickcheack, and youservers into it [1]. The software does not verify whether the directory or these files already exist, enabling a symlink attack [1].

Exploitation

A local attacker can create a directory /usr/tmp/you-<target_username> with world-writable permissions (e.g., 777) and place a symbolic link named cookies inside that directory, pointing to any file the target user (e.g., asdf) can write [1]. The attacker must then convince the target user to execute online_update (for example, through social engineering) [1]. When the target runs the command, it will follow the symlink and overwrite the file pointed to with the contents intended for the cookies file [1].

Impact

A local attacker can overwrite arbitrary files owned by another user on the system, potentially leading to privilege escalation or data corruption [1]. No authentication beyond a local user account is required, and no elevated privileges are needed to perform the attack.

Mitigation

The vulnerability was reported in April 2004 and affects SuSE 8.2 and 9.0 [1]. The official fix has not been disclosed in the available references, but users should apply any security updates provided by SuSE for the online_update component. If no patch is available, using the graphical YaST interface or avoiding the -q/-k options as a normal user reduces risk. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.