SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  fireHOL Vendors:  firehol.sourceforge.net
FireHOL Unsafe Temporary Files Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1012969
SecurityTracker URL:  http://securitytracker.com/id?1012969
CVE Reference:  CAN-2005-0225   (Links to External Site)
OSVDB Reference:  13137   (Links to External Site)
Updated:  Feb 7 2005
Original Entry Date:  Jan 24 2005
Impact:  Modification of system information, Modification of user information, Root access via local system, User access via local system
Version(s): 1.214
Description:  A vulnerability was reported in FireHOL. A local user may be able to gain elevated privileges.

Sam Couter reported that FireHOL uses temporary files with known filenames in a temporary directory that has a predicatble name based on the process ID.

A local user can create a symbolic link (symlink) from a critical file on the system to a temporary file to be used by FireHOL. Then, when a target user runs FireHOL, the symlinked file may be overwritten with the privileges of the target user.
Impact:  A local user may be able to gain elevated privileges.
Solution:  No solution was available at the time of this entry.
Vendor URL:  firehol.sourceforge.net/ (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  Linux (Any)
Reported By:  Sam Couter <sam@couter.dropbear.id.au>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 2 2005 (Gentoo Issues Fix) FireHOL Unsafe Temporary Files Let Local Users Gain Elevated Privileges   (Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>)
Gentoo has released a fix.


 Source Message Contents
Date:  Sat, 22 Jan 2005 21:51:32 +1100
From:  Sam Couter <sam@couter.dropbear.id.au>
Subject:  firehol: insecure temporary directory handling

 
 
Both firehol and firehol-wizard use known temporary file names in a
predictably named temporary directory (PID-based).
 
Neither program ensures that those directories are safe before blasting
the contents of files within. An attacker can place carefully named
symlinks in the directory and overwrite or corrupt many files on the
system.
 
I have exploited this (it's trivial if even I can do it).
 
Security team says:
"You may add that if the author/maintainer doesn't know how to fix
the problem either, they should not hesitate to contact us."
-- 
Sam "Eddie" Couter  |  mailto:sam@couter.dropbear.id.au
Debian Developer    |  mailto:eddie@debian.org
                    |  jabber:sam@teknohaus.dyndns.org
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC