[Full-disclosure] everybuddy <= 0.4.3 insecure temporary file creation

#########################################################

everybuddy insecure temporary file creation

Vendor: http://www.everybuddy.com/ (no more vendor URL)
Advisory: http://www.zataz.net/adviso/everybuddy-06062005.txt
Vendor informed: no more vendor
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks in combination  to create and 
overwrite
arbitrary files with the privileges of the user running the affected script.

##########
Versions:
##########

everybuddy <= 0.4.3

##########
Solution:
##########

Don't use this tool

#########
Timeline:
#########

Discovered : 2005-05-30
Vendor notified : no more vendor
Vendor response : no more vendor
Vendor fix : no fix
Disclosure : 2005-06-06

#####################
Technical details :
#####################

Vulnerable code :
-----------------

modules/utility/autotrans.c

258   g_snprintf(buf, 2048, "rm /tmp/.eb.%s.translator -f ; wget -O 
/tmp/.eb.%s.translator 
'http://world.altavista.com/sites/gben/pos/babelfish/tr?tt=urltext&lp=%s_%s&urltext=%s'",
259     getenv("USER"), getenv("USER"), from, to, string);
260
261   printf("Running command line:\n%s\n", buf);
262
263   if(system(buf)!=0)
264   {
265     printf("COULD NOT TRANSLATE: %s\n", ostring);
266     free(string);
267     return strdup(ostring);
268   }
269
270   g_snprintf(buf, 2048, "/tmp/.eb.%s.translator", getenv("USER"));
271
272   if((dat=fopen(buf, "r"))==NULL)
273   {
274     printf("COULD NOT TRANSLATE: %s\n", ostring);
275     free(string);
276     return strdup(ostring);
277   }
278
279   pos=0;
280
281   while(!feof(dat))
282   {
283     for(a=0; a<3; a++)
284     {
285       lastfew[a]=lastfew[a+1];
286     }
287     lastfew[3]=(char)getc(dat);
288
289     if(printing>=1)
290     {
291       buf[pos++]=lastfew[3];
292       if(pos==1023) { buf[pos]='\0'; break; }
293     }
294
295     if(!strcmp(lastfew, "</TE"))
296     {
297       printf("Found end\n");
298       if (pos >= 5) {
299         buf[pos-4]='\0';
300         printing++;
301         while(pos>=5 && (buf[pos-5]=='\n' || buf[pos-5]=='\r'))
302         {
303           buf[pos-5]='\0';
304           pos--;
305         }
306       }
307       break;
308     }

#########
Related :
#########

Gentoo Bugs report : http://bugs.gentoo.org/show_bug.cgi?id=94473

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)

---------------------------------------------------------------------------- 

This e-mail and any attached files are confidential and intended solely for the 
use of the individual or entity to whom they are addressed. If you have 
received this e-mail by mistake, please notify the sender immediately and 
delete it from your system. You must not copy the message or disclose its 
contents to anyone.

----------------------------------------------------------------------------



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/