CVE-2010-2064

Vulnerability

rpcbind version 0.2.0 creates temporary files /tmp/portmap.xdr and /tmp/rpcbind.xdr in the world-writable /tmp directory without using safe file creation practices [1]. This allows a local user to perform a symlink attack by placing a symbolic link with the same name before the daemon starts, pointing to an arbitrary file that the rpcbind process can write to [2].

Exploitation

An attacker needs local access to the system and the ability to create files in /tmp before the rpcbind daemon is started. The attacker can create a symbolic link from either /tmp/portmap.xdr or /tmp/rpcbind.xdr to a target file, such as a system configuration file. When rpcbind starts, it will follow the symlink and write data to the target location [3].

Impact

Successful exploitation allows a local attacker to write to arbitrary files with the privileges of the rpcbind process (typically root), potentially leading to privilege escalation or a denial of service by overwriting critical system files [1].

Mitigation

The vulnerability is fixed in rpcbind version 0.2.0-4.1 (Debian) which changed the state directory to /var/run/rpcbind, which is only writable by root [4]. Red Hat Enterprise Linux was not affected as it used a secure state directory /var/lib/rpcbind [3]. Users should update to a patched version or ensure the state directory is not in a world-writable location.