ID CVE-2006-1057
Summary Race condition in daemon/slave.c in gdm before 2.14.1 allows local users to gain privileges via a symlink attack when gdm performs chown and chgrp operations on the .ICEauthority file.
References
Vulnerable Configurations
  • cpe:2.3:a:gnome:gdm:2.14
    cpe:2.3:a:gnome:gdm:2.14
CVSS
Base: 3.7 (as of 26-04-2006 - 08:13)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
LOCAL HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-083.NASL
    description A race condition in daemon/slave.c in gdm before 2.14.1 allows local users to gain privileges via a symlink attack when gdm performs chown and chgrp operations on the .ICEauthority file. Packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 21358
    published 2006-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21358
    title Mandrake Linux Security Advisory : gdm (MDKSA-2006:083)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0286.NASL
    description An updated gdm package that fixes a security issue and a bug is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. Gdm (the GNOME Display Manager) is a highly configurable reimplementation of xdm, the X Display Manager. Gdm allows you to log into your system with the X Window System running and supports running several different X sessions on your local machine at the same time. Marcus Meissner discovered a race condition issue in the way Gdm modifies the permissions on the .ICEauthority file. A local attacker could exploit this flaw to gain privileges. Due to the nature of the flaw, however, a successful exploitation was unlikely. (CVE-2006-1057) This erratum also includes a bug fix to correct the pam configuration for the audit system. All users of gdm should upgrade to this updated package, which contains backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 25145
    published 2007-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25145
    title RHEL 4 : gdm (RHSA-2007:0286)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20070501_GDM_ON_SL4.NASL
    description Marcus Meissner discovered a race condition issue in the way Gdm modifies the permissions on the .ICEauthority file. A local attacker could exploit this flaw to gain privileges. Due to the nature of the flaw, however, a successful exploitation was unlikely. (CVE-2006-1057)
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60166
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60166
    title Scientific Linux Security Update : gdm on SL4 i386/x86_64
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1040.NASL
    description A vulnerability has been identified in gdm, a display manager for X, that could allow a local attacker to gain elevated privileges by exploiting a race condition in the handling of the .ICEauthority file.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22582
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22582
    title Debian DSA-1040-1 : gdm - programming error
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-278-1.NASL
    description Marcus Meissner discovered a race condition in gdm's handling of the ~/.ICEauthority file permissions. A local attacker could exploit this to become the owner of an arbitrary file in the system. When getting control over automatically executed scripts (like cron jobs), the attacker could eventually leverage this flaw to execute arbitrary commands with root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-05-26
    plugin id 21372
    published 2006-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21372
    title Ubuntu 5.04 / 5.10 : gdm vulnerabilitiy (USN-278-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0286.NASL
    description From Red Hat Security Advisory 2007:0286 : An updated gdm package that fixes a security issue and a bug is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. Gdm (the GNOME Display Manager) is a highly configurable reimplementation of xdm, the X Display Manager. Gdm allows you to log into your system with the X Window System running and supports running several different X sessions on your local machine at the same time. Marcus Meissner discovered a race condition issue in the way Gdm modifies the permissions on the .ICEauthority file. A local attacker could exploit this flaw to gain privileges. Due to the nature of the flaw, however, a successful exploitation was unlikely. (CVE-2006-1057) This erratum also includes a bug fix to correct the pam configuration for the audit system. All users of gdm should upgrade to this updated package, which contains backported patches to resolve these issues.
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 67483
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67483
    title Oracle Linux 4 : gdm (ELSA-2007-0286)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2006-338.NASL
    description (Notes taken from upstream release mail) - The sockets connection between the slaves and the GDM daemon is now better managed to better ensure that sockets are never left open. (Brian Cameron) - Corrected bug that causes a core dump when you click on gdmgreeter fields that have an id. (Brian Cameron) - Add new GdmXserverTimeout configuration setting so that the length of time GDM waits for the Xserver to start can be tuned, so GDM better works with Xservers that require more than 10 seconds to start. (Emilie) - The happygnome and happygnome-list gdmgreeter themes now use the official logo. (Brian Cameron) - Now GDM configure supports --with-sysconfsubdir so that GDM's configuration directory can be configured to not have '/gdm' appended to the end. - Fix for ensuring .ICEauthority file has proper ownership/permissions. Addresses CVE-2006-1057. (Hans Petter Jansson) - Fix 'Show Actions Menu' section in gdmsetup so it appears when both 'Plain' and 'Themed' style is chosen. (Brian Cameron, Dennis Cranston) - Now use LINGUAS procedure for defining languages. (Michiel Sikkes) - Now Xsession script uses '$@' instead of '$1' so it is possible to pass arguments with the command to run. (Brian Cameron) - Add Trusted Solraris support. (Niall Power) - One line fix to Solaris auditing logic that fixes a bug causing authentication to fail when auditing is turned on. (Brian Cameron) - Fixes to compile with C99 and fixes to compile under NetBSD. Remove EXPANDED_* variables from the configure. (Julio M. Merino Vidal) - Translation updates (Aygimantas Beruaka, Benoat Dejean, Laurent Dhima, Maxim Dziumanenko, Alessio Frusciante, Rhys Jones, Raphael Higino, Theppitak Karoonboonyanan, Gabor Kelmen, Priit Laes, Jordi Mallach, Kjartan Maraas, Daniel Nylander, Kostas Papdimas, Guilherme de S. Pastore, Ankit Patel, Ignacio Casal Quinteiro, Hendrik Richter, Jens Seidel, Francisco Javier F. Serrador, Alexander Shopov, Clytie Siddall, Ilkka Tuohela, Vincent van Adrighem, Tommi Vainikaninen) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 21249
    published 2006-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21249
    title Fedora Core 5 : gdm-2.14.1-1.fc5.2 (2006-338)
oval via4
accepted 2013-04-29T04:01:32.622-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Race condition in daemon/slave.c in gdm before 2.14.1 allows local users to gain privileges via a symlink attack when gdm performs chown and chgrp operations on the .ICEauthority file.
family unix
id oval:org.mitre.oval:def:10092
status accepted
submitted 2010-07-09T03:56:16-04:00
title Race condition in daemon/slave.c in gdm before 2.14.1 allows local users to gain privileges via a symlink attack when gdm performs chown and chgrp operations on the .ICEauthority file.
version 23
redhat via4
advisories
bugzilla
id 188302
title CVE-2006-1057 GDM file permissions race condition
oval
AND
  • comment Red Hat Enterprise Linux 4 is installed
    oval oval:com.redhat.rhba:tst:20070304001
  • comment gdm is earlier than 1:2.6.0.5-7.rhel4.15
    oval oval:com.redhat.rhsa:tst:20070286002
  • comment gdm is signed with Red Hat master key
    oval oval:com.redhat.rhsa:tst:20070286003
rhsa
id RHSA-2007:0286
released 2007-05-01
severity Low
title RHSA-2007:0286: gdm security and bug fix update (Low)
rpms gdm-1:2.6.0.5-7.rhel4.15
refmap via4
bid 17635
confirm
debian DSA-1040
fedora FEDORA-2006-338
mandriva MDKSA-2006:083
ubuntu USN-278-1
vupen ADV-2006-1465
xf gdm-slavec-symlink(26092)
statements via4
contributor Mark J Cox
lastmodified 2006-09-19
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188302 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 2.1 and 3.
Last major update 10-08-2011 - 00:00
Published 24-04-2006 - 21:02
Last modified 03-10-2018 - 17:36
Back to Top