CVE-1999-1221

Step 1: Symlink Creation: The attacker creates a symbolic link named dxchpwd.log that points to a critical system file, such as /etc/passwd or /etc/shadow.

Step 2: Password Change Attempt: The attacker attempts to change their password using the dxchpwd utility. This triggers the utility to write to the dxchpwd.log file.

Step 3: File Overwrite: Because of the symlink, the dxchpwd utility writes the log data to the target file (e.g., /etc/passwd), overwriting its contents.

Step 4: Privilege Escalation: By manipulating the contents of the target file (e.g., adding a user with elevated privileges or modifying existing user credentials), the attacker gains unauthorized access and control over the system.

The vulnerability stems from a race condition in the dxchpwd utility. This utility, used for changing passwords, logs its actions to the dxchpwd.log file. An attacker can exploit this by creating a symbolic link from dxchpwd.log to a critical system file (e.g., /etc/passwd or /etc/shadow). When dxchpwd writes to the log file, it's actually writing to the target file specified by the symlink. The lack of proper input validation and the absence of checks to prevent symlink attacks allows attackers to overwrite sensitive system files, leading to privilege escalation. The root cause is the insecure handling of file operations and the failure to account for the possibility of symlink manipulation during the logging process. Specifically, the utility does not verify the target of the symlink before writing to it, creating a window of opportunity for attackers to redirect the output to a controlled file.