Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] LutelWall <= 0.97 insecure temporary file creation

from [ZATAZ Audits] Network Security [Permanent Link]
Subject: [Full-disclosure] LutelWall <= 0.97 insecure temporary file creation
Date: Mon, 06 Jun 2005 10:21:54 +0200 
#########################################################

LutelWall insecure temporary file creation

Vendor: http://firewall.lutel.pl/index.php
Advisory: http://www.zataz.net/adviso/lutelwall-05222005.txt
Vendor informed: yes
Exploit available: yes
Impact : medium
Exploitation : low

#########################################################

The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks to create and overwrite arbitrary files
with the privileges of the user running the affected script.

The exploitation require that the root try to update the software.

##########
Versions:
##########

LutelWall <= 0.97

##########
Solution:
##########

non solution yet.

#########
Timeline:
#########

Discovered : 2005-05-22
Vendor notified : 2005-05-22
Vendor response : none
Vendor fix :  no fix
Disclosure : 2005-06-06

#####################
Technical details :
#####################

Vulnerable code :
-----------------

# Prefix of temporary firewall files
tmp='/tmp/lutelwall'

new_version_check () { # Check for new version of script

if [ "`wget -V 2>&1 >/dev/null`" ]; then
message 3 "Warrning: Wget is required to check for updates."
else
new_ver=`wget -C off -O - -q -t 1 -T 3 -w 3 -U "\`uname -a 2>&1\`" http://firewall.lutel.pl/ver`
if [ `echo $current_version | gawk '{ gsub("\\\.","") ; print 1$0 }'` -lt `echo $new_ver | gawk '{ gsub("\\\.","") ; print 1$0 }'` ]; then
echo -e "\nThere is newer version of LutelWall (${new_ver})"
echo -n " Changes since previous version:"
echo `wget -C off -O $tmp-newfeat -q -t 1 -T 3 -w 3 http://firewall.lutel.pl/FEATURES-${new_ver}`
cat $tmp-newfeat
echo "Do you want to update [y/N]? "
read -s -t 5 -n 1 ln
if [ "$ln" = 'y' -o "$ln" = 'Y' ]; then
wget -O $tmp-script -q -T 3 http://firewall.lutel.pl/lutelwall
cat $tmp-script > $0
rm -rf $tmp-script
echo "Your firewall is up to date, exiting after update!"
exit
else
message 5 "Update aborted"
fi
else
message 5 "LutelWall is up-to-date"
fi;
fi;

}

#########
Related :
#########

nothing related

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] LutelWall <= 0.97 insecure temporary file creation, ZATAZ Audits <=
Previous by Date:  [Full-disclosure] everybuddy <= 0.4.3 insecure temporary file creation, Eric Romang / DATACENTER Luxembourg
Next by Date:  [Full-disclosure] [AppSecInc Advisory WEBSP05-V0098] Remote Buffer overflow in WebSphere Application Server Administrative Console, Team SHATTER
Previous by Thread:  [Full-disclosure] everybuddy <= 0.4.3 insecure temporary file creation, Eric Romang / DATACENTER Luxembourg
Next by Thread:  [Full-disclosure] [AppSecInc Advisory WEBSP05-V0098] Remote Buffer overflow in WebSphere Application Server Administrative Console, Team SHATTER
Indexes:  [Date] [Thread] [Top] [All Lists]