Vulnerabilities > CVE-2005-1111 - Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in multiple products

CVSS 4.7 - MEDIUM

Attack vector

LOCAL

Attack complexity

HIGH

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

local

high complexity

nessus

NVD

Published: 2005-05-02

Updated: 2024-01-26

Summary

Race condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete.

Vulnerable Configurations

Part	Description	Count
Application	Gnu GNU Cpio - GNU Cpio 1.0 GNU Cpio 1.1 GNU Cpio 1.2 GNU Cpio 1.3 GNU Cpio 2.4-2 GNU Cpio 2.5 GNU Cpio 2.5.90 GNU Cpio 2.6	9
OS	Debian Debian Debian Linux 3.1 Debian Debian Linux 3.0	2
OS	Canonical Canonical Ubuntu Linux 4.10 Canonical Ubuntu Linux 5.04	2

Common Weakness Enumeration (CWE)

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to her. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file she will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2005-378.NASL
description	An updated cpio package that fixes multiple issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. GNU cpio copies files into or out of a cpio or tar archive. A race condition bug was found in cpio. It is possible for a local malicious user to modify the permissions of a local file if they have write access to a directory in which a cpio archive is being extracted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1111 to this issue. Additionally, this update adds cpio support for archives larger than 2GB. However, the size of individual files within an archive is limited to 4GB. All users of cpio are advised to upgrade to this updated package, which contains backported fixes for these issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	19283
published	2005-07-22
reporter	This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/19283
title	RHEL 3 / 4 : cpio (RHSA-2005:378)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:378. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(19283); script_version ("1.24"); script_cvs_date("Date: 2019/10/25 13:36:11"); script_cve_id("CVE-2005-1111"); script_bugtraq_id(13159); script_xref(name:"RHSA", value:"2005:378"); script_name(english:"RHEL 3 / 4 : cpio (RHSA-2005:378)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "An updated cpio package that fixes multiple issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. GNU cpio copies files into or out of a cpio or tar archive. A race condition bug was found in cpio. It is possible for a local malicious user to modify the permissions of a local file if they have write access to a directory in which a cpio archive is being extracted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1111 to this issue. Additionally, this update adds cpio support for archives larger than 2GB. However, the size of individual files within an archive is limited to 4GB. All users of cpio are advised to upgrade to this updated package, which contains backported fixes for these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-1111" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:378" ); script_set_attribute(attribute:"solution", value:"Update the affected cpio package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:cpio"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(3\|4)([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x / 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:378"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", reference:"cpio-2.5-4.RHEL3")) flag++; if (rpm_check(release:"RHEL4", reference:"cpio-2.5-8.RHEL4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cpio"); } }

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2005-378.NASL
description	An updated cpio package that fixes multiple issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. GNU cpio copies files into or out of a cpio or tar archive. A race condition bug was found in cpio. It is possible for a local malicious user to modify the permissions of a local file if they have write access to a directory in which a cpio archive is being extracted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1111 to this issue. Additionally, this update adds cpio support for archives larger than 2GB. However, the size of individual files within an archive is limited to 4GB. All users of cpio are advised to upgrade to this updated package, which contains backported fixes for these issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	21815
published	2006-07-03
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/21815
title	CentOS 3 / 4 : cpio (CESA-2005:378)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:378 and # CentOS Errata and Security Advisory 2005:378 respectively. # include("compat.inc"); if (description) { script_id(21815); script_version("1.19"); script_cvs_date("Date: 2019/10/25 13:36:02"); script_cve_id("CVE-2005-1111"); script_bugtraq_id(13159); script_xref(name:"RHSA", value:"2005:378"); script_name(english:"CentOS 3 / 4 : cpio (CESA-2005:378)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing a security update." ); script_set_attribute( attribute:"description", value: "An updated cpio package that fixes multiple issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. GNU cpio copies files into or out of a cpio or tar archive. A race condition bug was found in cpio. It is possible for a local malicious user to modify the permissions of a local file if they have write access to a directory in which a cpio archive is being extracted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1111 to this issue. Additionally, this update adds cpio support for archives larger than 2GB. However, the size of individual files within an archive is limited to 4GB. All users of cpio are advised to upgrade to this updated package, which contains backported fixes for these issues." ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011938.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d58a37f6" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011940.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0fd3f45c" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011943.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?da78775d" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011944.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?bffea584" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011951.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?981c5aef" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011952.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?727e62d2" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011953.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0608d7ad" ); # https://lists.centos.org/pipermail/centos-announce/2005-July/011954.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a539f070" ); script_set_attribute(attribute:"solution", value:"Update the affected cpio package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:cpio"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) \|\| "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^(3\|4)([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x / 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-3", reference:"cpio-2.5-4.RHEL3")) flag++; if (rpm_check(release:"CentOS-4", reference:"cpio-2.5-8.RHEL4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cpio"); }

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-846.NASL
description	Two vulnerabilities have been discovered in cpio, a program to manage archives of files. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-1111 Imran Ghory discovered a race condition in setting the file permissions of files extracted from cpio archives. A local attacker with write access to the target directory could exploit this to alter the permissions of arbitrary files the extracting user has write permissions for. - CAN-2005-1229 Imran Ghory discovered that cpio does not sanitise the path of extracted files even if the --no-absolute-filenames option was specified. This can be exploited to install files in arbitrary locations where the extracting user has write permissions to.
last seen	2020-06-01
modified	2020-06-02
plugin id	19954
published	2005-10-11
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/19954
title	Debian DSA-846-1 : cpio - several vulnerabilities
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-846. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19954); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-1111", "CVE-2005-1229"); script_xref(name:"DSA", value:"846"); script_name(english:"Debian DSA-846-1 : cpio - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Two vulnerabilities have been discovered in cpio, a program to manage archives of files. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-1111 Imran Ghory discovered a race condition in setting the file permissions of files extracted from cpio archives. A local attacker with write access to the target directory could exploit this to alter the permissions of arbitrary files the extracting user has write permissions for. - CAN-2005-1229 Imran Ghory discovered that cpio does not sanitise the path of extracted files even if the --no-absolute-filenames option was specified. This can be exploited to install files in arbitrary locations where the extracting user has write permissions to." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=306693" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305372" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-846" ); script_set_attribute( attribute:"solution", value: "Upgrade the cpio package. For the old stable distribution (woody) these problems have been fixed in version 2.4.2-39woody2. For the stable distribution (sarge) these problems have been fixed in version 2.5-1.3." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:cpio"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"cpio", reference:"2.4.2-39woody2")) flag++; if (deb_check(release:"3.1", prefix:"cpio", reference:"2.5-1.3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-189-1.NASL
description	Imran Ghory found a race condition in the handling of output files. While a file was unpacked with cpio, a local attacker with write permissions to the target directory could exploit this to change the permissions of arbitrary files of the cpio user. (CAN-2005-1111) Imran Ghory discovered a path traversal vulnerability. Even when the --no-absolute-filenames option was specified, cpio did not filter out
last seen	2020-06-01
modified	2020-06-02
plugin id	20601
published	2006-01-15
reporter	Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20601
title	Ubuntu 4.10 / 5.04 : cpio vulnerabilities (USN-189-1)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2005-806.NASL
description	An updated cpio package that fixes multiple issues is now available. This update has been rated as having low security impact by the Red Hat Security Response Team. GNU cpio copies files into or out of a cpio or tar archive. A race condition bug was found in cpio. It is possible for a local malicious user to modify the permissions of a local file if they have write access to a directory in which a cpio archive is being extracted. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-1111 to this issue. It was discovered that cpio uses a 0 umask when creating files using the -O (archive) option. This creates output files with mode 0666 (all users can read and write) regardless of the user
last seen	2020-06-01
modified	2020-06-02
plugin id	20204
published	2005-11-15
reporter	This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/20204
title	RHEL 2.1 : cpio (RHSA-2005:806)

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2005-116.NASL
description	A race condition has been found in cpio 2.6 and earlier which allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete (CVE-2005-1111). A vulnerability has been discovered in cpio that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute (CVE-2005-1229). Update : The previous packages had a problem upgrading due to an unresolved issue with tar and rmt. These packages correct the problem.
last seen	2020-06-01
modified	2020-06-02
plugin id	18678
published	2005-07-12
reporter	This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/18678
title	Mandrake Linux Security Advisory : cpio (MDKSA-2005:116-1)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200506-16.NASL
description	The remote host is affected by the vulnerability described in GLSA-200506-16 (cpio: Directory traversal vulnerability) A vulnerability has been found in cpio that can potentially allow a cpio archive to extract its files to an arbitrary directory of the creator
last seen	2020-06-01
modified	2020-06-02
plugin id	18531
published	2005-06-20
reporter	This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/18531
title	GLSA-200506-16 : cpio: Directory traversal vulnerability

Oval

accepted

2005-09-21T01:33:00.000-04:00

class

vulnerability

contributors

name	Jay Beale
organization	Bastille Linux

description

family

unix

oval:org.mitre.oval:def:358

status

accepted

submitted

2005-08-08T12:00:00.000-04:00

title

cpio Race Condition

version

accepted

2013-04-29T04:22:09.996-04:00