shtool Temporary File May Let Local users gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1014059
|
|
SecurityTracker URL: http://securitytracker.com/id?1014059
|
|
CVE Reference: CAN-2005-1751
, CAN-2005-1759
(Links to External Site)
|
Updated: Jun 14 2005
|
Original Entry Date: May 26 2005
|
Impact: Modification of system information, Modification of user information, User access via local system
|
Version(s): 2.0.1 and prior versions
|
Description: Eric Romang (ZATAZ) reported a vulnerability in shtool. A local user may be able to gain elevated privileges.
The utility creates temporary files in an unsafe manner [CVE: CAN-2005-1751]. There is a race condition that can be exploited to
potentially gain the privileges of the target user running shtool.
Gentoo Security later discovered that once the shtool temporary
file is created, it is reused in an unsafe manner [CVE: CAN-2005-1759].
|
Impact: A local user may be able to obtain elevated privileges.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.gnu.org/software/shtool/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "ZATAZ.net" <exploits@zataz.net>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 25 May 2005 19:44:40 +0200
From: "ZATAZ.net" <exploits@zataz.net>
Subject: shtool insecure temporary file creation
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
#########################################################
shtool insecure temporary file creation
Vendor: http://www.gnu.org/software/shtool/
Advisory: http://www.zataz.net/adviso/shtool-05252005.txt
Vendor informed: no more vendor
Exploit available: yes
Impact : low
Exploitation : low
#########################################################
shtool contain a security flaw wich could allow a
malicious local user to create or overwrite content off arbitrary files
with the right off the user how use shtool.
The vulnerability is a race condition.
A lot off products use shtool, for exemple :
- - ocan-mysql
- - SellaNMS
- - ipcmp
- - OOPSE
- - OpenLDAP
- - PHP
- - OpenPKG
- - others ....
##########
Versions:
##########
shtool <= 2.0.1
##########
Solution:
##########
As I know only Gentoo has provide an update to shtool.
Use mktemp, umask and chmod to create secure temporary file
#########
Timeline:
#########
Discovered : 2005-05-25
Vendor notified : 2005-05-25
Vendor response : no more vendor
Vendor fix : no vendor fix
Disclosure : 2005-05-25
#####################
Technical details :
#####################
Vulnerable code :
- -----------------
572 # establish a temporary file on request
573 if [ ".$gen_tmpfile" = .yes ]; then
574 if [ ".$TMPDIR" != . ]; then
575 tmpdir="$TMPDIR"
576 elif [ ".$TEMPDIR" != . ]; then
577 tmpdir="$TEMPDIR"
578 else
579 tmpdir="/tmp"
580 fi
581 tmpfile="$tmpdir/.shtool.$$"
582 rm -f $tmpfile >/dev/null 2>&1
583 touch $tmpfile
584 chmod 600 $tmpfile
585 fi
597 # cleanup procedure
598 shtool_exit () {
599 rc="$1"
600 if [ ".$gen_tmpfile" = .yes ]; then
601 rm -f $tmpfile >/dev/null 2>&1 || true
602 fi
603 exit $rc
604 }
The gen_tmpfile is used for tarball, subst, scpp ant path actions.
#########
Related :
#########
Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93782
#####################
Credits :
#####################
Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFClLmIXXuxWE8lDAcRAjXNAJ4tDchC7D3T7dQ/cY4mZ2hb3VYlIwCdHNAc
YCtVQmrCHRBu3l5topwCi28=
=dghw
-----END PGP SIGNATURE-----
|
|
