Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

bzip2 TOCTOU file-permissions vulnerability

from [Imran Ghory] Network Security [Permanent Link]
Subject: bzip2 TOCTOU file-permissions vulnerability
Date: Wed, 30 Mar 2005 22:38:55 +0100 
================================
bzip2 TOCTOU file-permissions vulnerability 
================================

Software: bzip2
Version: 1.0.2
Software URL: <http://sources.redhat.com/bzip2/>
Platform:  Unix, Linux.
Vulnerability type: Time-of-Check-Time-Of-Use
Severity: Low, requires local attacker and badly set directory permissions.


Vulnerable software
====================

bzip2 1.0.2 and previous versions running on unix. 

bzip2 1.0.2 compiled for Windows using lcc or MS Visual C++  is not effected.

Vulnerability
============== 

If a malicious local user has write access to a directory in which a
target user is using bzip2 to extract or compress a file to then a
TOCTOU bug can be exploited to change the permission of any file
belonging to that user.

On decompressing bzip2 copies the permissions from the compressed
bzip2 file to the
uncompressed file. However there is a gap between the uncompressed
file being written (and it's file handler being close) and the
permissions of the file being changed.

During this gap a malicious user can remove the decompressed file and
replace it with a hard-link to another file belonging to the user.
bzip2 will then change the permissions on the  hard-linked file to be
the same as that of the bzip2 file.

Fix
====

Ensure that any directory which is being used by bzip2 to
compress/decompress files is only writeable by the user or
alternatively set the sticky bit on the directory's permissions
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • bzip2 TOCTOU file-permissions vulnerability, Imran Ghory <=
Previous by Date:  [CLA-2005:945] Conectiva Security Announcement - kernel, Conectiva Updates
Next by Date:  Re: DoS of LAN via D-Link switches, Joel Maslak
Previous by Thread:  [CLA-2005:945] Conectiva Security Announcement - kernel, Conectiva Updates
Next by Thread:  cPanel/WHM demo account problems, Richard Stanway
Indexes:  [Date] [Thread] [Top] [All Lists]