uutils coreutils tail Utility Symbolic Link Follow Vulnerability

A vulnerability in the tail utility of uutils coreutils allows sensitive file contents to be exfiltrated when the --follow=name option is used. Unlike GNU tail, which stops monitoring a file once it is replaced by a symbolic link, uutils tail continues to follow the link's target. This behavior can be exploited by a local attacker with write access to a log directory monitored by a privileged user. The attacker can replace a log file with a symlink to a sensitive system file, such as /etc/shadow, causing tail to disclose the file's contents.

Impact

Exfiltration of sensitive file contents, such as those from /etc/shadow.

Reproduction

The vulnerability can be reproduced by using uutils tail with the --follow=name option on a file that has been replaced with a symbolic link to a sensitive system file. This can be done by first creating a test file and then replacing it with a symlink to /etc/passwd. uutils tail will follow the symlink and output the contents of the target file, demonstrating the vulnerability.

Remediation

Users can update to the latest version of uutils coreutils, where this issue has been fixed.