CVE-2011-1031 in fehinfo

Summary

by MITRE

The feh_unique_filename function in utils.c in feh 1.11.2 and earlier might allow local users to create arbitrary files via a symlink attack on a /tmp/feh_ temporary file, a different vulnerability than CVE-2011-0702.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 10/17/2021

The feh image viewer application contains a critical race condition vulnerability in its temporary file handling mechanism that enables local privilege escalation through symbolic link attacks. This vulnerability exists within the feh_unique_filename function located in the utils.c source file, affecting versions 1.11.2 and earlier. The flaw manifests when the application creates temporary files in the /tmp directory without proper security checks, allowing malicious users to exploit the window between file creation and access to manipulate the system's file structure.

The technical implementation of this vulnerability stems from improper temporary file creation practices where feh generates temporary files with predictable naming patterns such as /tmp/feh_ followed by a random number. During the execution of the feh_unique_filename function, the application first checks for the existence of a temporary file and then proceeds to create it, creating a race condition window where an attacker can establish a symbolic link to a target file before the legitimate file is created. This race condition is classified under CWE-367 which specifically addresses Time-of-Check to Time-of-Use vulnerabilities, where the application's security decision is based on outdated information due to the temporal gap between verification and actual use.

The operational impact of this vulnerability extends beyond simple file creation manipulation, as it can potentially allow attackers to overwrite critical system files, inject malicious content into configuration files, or escalate privileges by targeting files with elevated permissions. An attacker exploiting this vulnerability can craft a symbolic link pointing to a sensitive target file such as /etc/passwd or a system binary, and when feh processes the temporary file, the application will write data to the target file instead of the intended temporary location. This attack vector aligns with ATT&CK technique T1059.007 for command and script injection, and T1548.001 for abuse of privileges through file system manipulation.

Mitigation strategies for this vulnerability involve immediate patching of the feh application to version 1.11.3 or later where the race condition has been addressed through proper temporary file creation mechanisms. System administrators should implement restrictive permissions on the /tmp directory, ensuring that temporary files are created with appropriate umask settings and ownership controls. Additionally, the application should be modified to use secure temporary file creation functions such as mkstemp() instead of the vulnerable approach that relies on predictable naming patterns. Organizations should also consider implementing monitoring solutions to detect suspicious symbolic link creation patterns in temporary directories and maintain regular vulnerability assessments to identify similar race condition vulnerabilities in other applications. The fix typically involves implementing atomic file creation procedures and ensuring that temporary file operations are protected against symlink attacks through proper file descriptor management and access control validation.

Reservation

02/14/2011

Disclosure

02/14/2011

Moderation

accepted

Entry

VDB-56491

CPE

ready

EPSS

0.00332

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!