VULHUB ™

Irix ships with a mechanism for unified name lookups called nsd. A vulnerability in a debugging feature implemented in nsd may allow for local attackers to corrupt any file on the filesystem. If the SIGUSR1 signal is sent to the nsd process, nsd will write a listing of it's filesystem to '/var/tmp/nsd.dump'. When writing this file, there are no checks to ensure that it does not already exist. Symbolic links will also be followed. This behaviour may be exploited by local attackers to corrupt arbitrary files. A denial of service may occur if an attacker causes critical files to be overwritten. If the attacker can control the contents of the dump (perhaps through performing lookups prior to the attack), privilege escalation may be possible.

Irix ships with a mechanism for unified name lookups called nsd. A vulnerability in a debugging feature implemented in nsd may allow for local attackers to corrupt any file on the filesystem. If the SIGUSR1 signal is sent to the nsd process, nsd will write a listing of it's filesystem to '/var/tmp/nsd.dump'. When writing this file, there are no checks to ensure that it does not already exist. Symbolic links will also be followed. This behaviour may be exploited by local attackers to corrupt arbitrary files. A denial of service may occur if an attacker causes critical files to be overwritten. If the attacker can control the contents of the dump (perhaps through performing lookups prior to the attack), privilege escalation may be possible.