Source: cve@mitre.org
UnixWare uidadmin allows local users to modify arbitrary files via a symlink attack.
UnixWare's uidadmin utility is vulnerable to a symlink attack, allowing local users to overwrite arbitrary files. This can lead to system compromise, including privilege escalation and data manipulation, by exploiting insecure file handling practices. Successful exploitation grants attackers control over critical system files.
Step 1: Symlink Creation: The attacker creates a symbolic link that points to a sensitive file, such as /etc/passwd or /etc/shadow.
Step 2: Triggering uidadmin: The attacker executes uidadmin with an action that involves file creation or modification, targeting a file that the attacker controls (e.g., a temporary file).
Step 3: Race Condition: Between the time uidadmin checks the file and performs the operation, the attacker quickly replaces the target file with the symlink created in Step 1.
Step 4: File Overwrite: uidadmin, unaware of the symlink, performs the operation on the target of the symlink, which is now the sensitive file. This allows the attacker to overwrite the sensitive file.
Step 5: Privilege Escalation: If the sensitive file is /etc/passwd or /etc/shadow, the attacker can then add a new user with elevated privileges or modify existing user accounts, gaining unauthorized access.
The vulnerability stems from a race condition within the uidadmin utility. Specifically, uidadmin likely fails to properly validate the target of a file operation (e.g., file creation or modification) before performing the action. An attacker can exploit this by creating a symbolic link (symlink) pointing to a sensitive system file. Then, by triggering uidadmin to operate on a file, the utility, unaware of the symlink, will operate on the target of the symlink instead. This is likely due to a lack of proper checks on the file path before the file operation. The root cause is a failure to follow the principle of least privilege and a lack of secure file handling practices, including proper path validation and the use of atomic operations where appropriate. The utility likely uses a file operation that is not atomic, allowing for a window of opportunity for the attacker to manipulate the file system.
This vulnerability is not directly associated with specific APT groups or malware campaigns due to its age. However, it's a classic example of a local privilege escalation technique. CISA KEV status: Not Listed.
Monitor system logs for suspicious activity related to uidadmin or file modifications in sensitive directories (e.g., /etc/passwd, /etc/shadow).
Analyze file system changes for unexpected symbolic links, especially those pointing to critical system files.
Implement file integrity monitoring tools (e.g., Tripwire, AIDE) to detect unauthorized file modifications.
Review audit logs for uidadmin usage, looking for unusual parameters or actions.
Network traffic analysis may not directly reveal exploitation, but can be used to identify lateral movement after a successful exploit.
Apply security patches provided by the vendor (if available).
Implement file system hardening by disabling or restricting the creation of symbolic links where possible.
Review and restrict access to uidadmin to only authorized users.
Implement file integrity monitoring to detect unauthorized modifications to system files.
Ensure proper input validation and sanitization in all applications, especially those that handle file paths.
Consider replacing uidadmin with a more secure alternative or disabling it if it's not essential.
Implement a least-privilege model, ensuring users only have the necessary permissions.
Regularly audit user accounts and permissions.