CVE-1999-0836

Step 1: Symlink Creation: The attacker creates a symbolic link (symlink) that points to a sensitive system file (e.g., /etc/passwd, /etc/shadow).

Step 2: Triggering uidadmin: The attacker executes uidadmin with an option that causes it to operate on a file specified by the attacker, which is the symlink.

Step 3: Race Condition Exploitation: uidadmin checks the symlink, but before it performs the intended operation (e.g., modifying a user entry), the symlink is resolved to the target file.

Step 4: File Overwrite: uidadmin then operates on the target file (e.g., /etc/passwd), potentially overwriting it with attacker-controlled content, such as a new user account with elevated privileges or a modified password for an existing account.

Step 5: Privilege Escalation: The attacker uses the modified file to gain unauthorized access and elevate their privileges on the system.

The vulnerability stems from a race condition within the uidadmin utility. uidadmin likely performs operations on files based on their names or paths. An attacker can create a symbolic link (symlink) pointing to a target file (e.g., a critical system file like /etc/passwd). The attacker then triggers uidadmin to operate on the symlink. Due to the time-of-check to time-of-use (TOCTOU) vulnerability, the utility checks the file's existence and attributes, but between the check and the operation, the symlink is resolved to the attacker-controlled target. This allows the attacker to manipulate the target file, potentially overwriting it with malicious content, leading to privilege escalation or system compromise. The core flaw is the lack of proper input validation and secure file handling, specifically the failure to follow the symlink during the operation.