Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] shtool insecure temporary file creation

from [ZATAZ.net] Network Security [Permanent Link]
Subject: [Full-disclosure] shtool insecure temporary file creation
Date: Wed, 25 May 2005 19:44:40 +0200 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#########################################################

shtool insecure temporary file creation

Vendor: http://www.gnu.org/software/shtool/
Advisory: http://www.zataz.net/adviso/shtool-05252005.txt
Vendor informed: no more vendor
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

shtool contain a security flaw wich could allow a
malicious local user to create or overwrite content off arbitrary files
with the right off the user how use shtool.

The vulnerability is a race condition.

A lot off products use shtool, for exemple :

- - ocan-mysql
- - SellaNMS
- - ipcmp
- - OOPSE
- - OpenLDAP
- - PHP
- - OpenPKG
- - others ....

##########
Versions:
##########

shtool <= 2.0.1

##########
Solution:
##########

As I know only Gentoo has provide an update to shtool.
Use mktemp, umask and chmod to create secure temporary file

#########
Timeline:
#########

Discovered : 2005-05-25
Vendor notified : 2005-05-25
Vendor response : no more vendor
Vendor fix :  no vendor fix
Disclosure :  2005-05-25

#####################
Technical details :
#####################

Vulnerable code :
- -----------------

572 #   establish a temporary file on request
573 if [ ".$gen_tmpfile" = .yes ]; then
574     if [ ".$TMPDIR" != . ]; then
575         tmpdir="$TMPDIR"
576     elif [ ".$TEMPDIR" != . ]; then
577         tmpdir="$TEMPDIR"
578     else
579         tmpdir="/tmp"
580     fi
581     tmpfile="$tmpdir/.shtool.$$"
582     rm -f $tmpfile >/dev/null 2>&1
583     touch $tmpfile
584     chmod 600 $tmpfile
585 fi

597 #   cleanup procedure
598 shtool_exit () {
599     rc="$1"
600     if [ ".$gen_tmpfile" = .yes ]; then
601         rm -f $tmpfile >/dev/null 2>&1 || true
602     fi
603     exit $rc
604 }

The gen_tmpfile is used for tarball, subst, scpp ant path actions.

#########
Related :
#########

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93782

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFClLmIXXuxWE8lDAcRAjXNAJ4tDchC7D3T7dQ/cY4mZ2hb3VYlIwCdHNAc
YCtVQmrCHRBu3l5topwCi28=
=dghw
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] shtool insecure temporary file creation, ZATAZ.net <=
Previous by Date:  exim 4.40 exploit, plugger
Next by Date:  PHP Injection in PHP Poll Creator, rash ilusion
Previous by Thread:  exim 4.40 exploit, plugger
Next by Thread:  PHP Injection in PHP Poll Creator, rash ilusion
Indexes:  [Date] [Thread] [Top] [All Lists]