Source: cve@mitre.org
Race condition in Linux mailx command allows local users to read user files.
Local privilege escalation is possible through a race condition in the Linux mailx command, allowing attackers to read sensitive user files. This vulnerability can lead to data breaches and compromise of user accounts, posing a significant risk to system integrity.
Step 1: File Prediction: The attacker identifies the naming convention mailx uses for temporary files. This often involves the user's UID or PID, making it predictable within a limited timeframe.
Step 2: File Creation/Deletion Loop: The attacker crafts a script that rapidly creates and deletes a file with a name matching the predicted temporary file name.
Step 3: Mailx Invocation: The attacker triggers the mailx command, typically by sending a crafted email or using a vulnerable script that calls mailx.
Step 4: Race Condition Exploitation: Due to the race condition, the attacker's file creation/deletion loop wins the race, and mailx attempts to write the email content to the attacker-controlled file.
Step 5: Information Disclosure: The attacker reads the contents of the attacker-controlled file, which now contains the sensitive information intended for the email recipient.
The vulnerability stems from a race condition within the mailx command's handling of temporary files. Specifically, when mailx is invoked to send mail, it creates temporary files to store the message content. An attacker can exploit this by rapidly creating and deleting files with predictable names (often based on the user's UID or PID) before mailx can securely create its temporary file. This allows the attacker to trick mailx into writing the message content to a file the attacker controls, potentially containing sensitive information. The root cause is a lack of proper synchronization and atomic operations when creating and accessing these temporary files, leading to a window of opportunity for an attacker to manipulate the file system state.
This vulnerability is unlikely to be directly targeted by sophisticated APTs today due to its age and the need for local access. However, it could be incorporated into a larger attack chain. CISA KEV status is unlikely due to the age of the vulnerability.
Monitor system logs for unusual mailx activity, especially involving file creation/deletion patterns.
Analyze file system events for rapid creation and deletion of files with predictable names, potentially related to user IDs or process IDs.
Review scripts and applications that invoke mailx for potential exploitation.
Implement file integrity monitoring to detect unauthorized modifications to sensitive files.
Upgrade to a patched version of mailx or a secure alternative mail client.
Implement robust file permissions to restrict access to user files.
Regularly audit system logs for suspicious activity.
Apply the principle of least privilege, limiting user access to only the necessary resources.
Consider using a more secure mail transfer agent (MTA) that mitigates this type of vulnerability.