CVE-2007-6167

Vulnerability

CVE-2007-6167 describes an untrusted search path vulnerability in the yast2-core component of SUSE Linux. When yast2 is executed, it searches for modules in the current working directory before checking system paths. If a local user creates a malicious module with a name that matches a legitimate yast2 module in the current directory, the system may load and execute the attacker-controlled code. The affected versions include all SUSE Linux distributions that include yast2-core prior to the release of a security update [1].

Exploitation

An attacker must have local access to the system and be able to write files to a directory from which a privileged user (such as root) will run yast2. The attacker creates a malicious shared library or script named to match a legitimate yast2 module (e.g., libfoo.so or a .ycp file). When the victim executes yast2 from that directory, the untrusted search path causes the malicious module to be loaded instead of the system one, leading to code execution with the victim's privileges [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code with the privileges of the user running yast2. Since yast2 is often run as root for system administration tasks, this can result in full compromise of the affected system, including unauthorized access, data modification, or denial of service [1].

Mitigation

No specific mitigation details are provided in the available reference [1]. Users are advised to apply any security updates released by SUSE for this vulnerability. As a general best practice, avoid running yast2 from untrusted directories and ensure that the current working directory is not writable by unprivileged users. If a patch is available, it should be installed immediately [1].