CVE-2000-0691 in mgetty
Summary
by MITRE
The faxrunq and faxrunqd in the mgetty package allows local users to create or modify arbitrary files via a symlink attack which creates a symlink in from /var/spool/fax/outgoing/.last_run to the target file.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/23/2025
The vulnerability described in CVE-2000-0691 resides within the mgetty package, specifically affecting the faxrunq and faxrunqd utilities that manage fax queuing operations. This issue represents a classic symlink attack vector that exploits improper handling of symbolic links in temporary file creation processes. The flaw occurs when these utilities create or modify files in the /var/spool/fax/outgoing/ directory without adequate validation of symbolic link targets, allowing local attackers to manipulate the filesystem through carefully crafted symlink placement.
The technical implementation of this vulnerability stems from the lack of proper file access controls and symlink validation within the fax processing utilities. When faxrunq and faxrunqd execute, they create or modify files in the outgoing fax spool directory, but fail to verify that these targets are legitimate files rather than symbolic links. An attacker can place a symbolic link named .last_run in the /var/spool/fax/outgoing/ directory that points to any target file on the system. When the utilities attempt to write to this location, they inadvertently modify the target file specified by the symbolic link, rather than the intended .last_run file. This creates a privilege escalation scenario where local users can modify files they would normally not have access to, potentially including system configuration files or binaries.
The operational impact of this vulnerability extends beyond simple file modification capabilities and represents a significant security risk within fax server environments. Attackers can leverage this weakness to compromise system integrity by modifying critical system files, configuration data, or even executable programs. The vulnerability affects systems running mgetty versions that include the fax processing utilities, particularly those configured to handle outgoing fax operations. Since this is a local privilege escalation vulnerability, it requires local access to the system but can potentially allow attackers to gain elevated privileges or cause system instability through targeted file modifications. The attack vector is particularly concerning because it operates silently within the normal fax processing workflow, making detection difficult.
Mitigation strategies for CVE-2000-0691 should focus on immediate patching of the mgetty package to address the symlink handling issue. System administrators should ensure that all fax processing systems are updated to versions that properly validate symbolic link targets before creating or modifying files. Additional protective measures include implementing proper file permissions and access controls on the fax spool directories, using file system capabilities to restrict symbolic link creation, and monitoring for unauthorized symlink creation in critical system directories. The vulnerability aligns with CWE-377: Insecure Temporary File and CWE-59: Improper Link Resolution, both of which are categorized under the broader ATT&CK framework as privilege escalation techniques. Organizations should also consider implementing file integrity monitoring solutions to detect unauthorized modifications to critical system files and establish proper system hardening practices that prevent local users from creating symbolic links in system directories where sensitive operations occur.