cdrtools DEBUG Mode Uses Unsafe Temporary Files That May Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1013600 |
|
SecurityTracker URL: http://securitytracker.com/id/1013600
|
|
CVE Reference:
CAN-2005-0866
(Links to External Site)
|
Date: Mar 30 2005
|
Impact:
Modification of system information, Modification of user information, Root access via local system, User access via local system
|
Exploit Included: Yes
|
Version(s): 2.01
|
Description:
A temporary file vulnerability was reported in cdrtools. A local user may be able to obtain elevated privileges.
If DEBUG is enabled in the '/etc/cdrecord/rscsi' file and the default debug output file location is used ('/tmp'), then cdrecord may create unsafe temporary files. A local user can create a symbolic link (symlink) from a critical file on the system to a temporary file to be used by cdrecord. Then, when cdrecord is run by the target user, the symlinked file may be created or overwritten with the privileges of the target user.
Javier Fernandez-Sanguino Pena discovered this vulnerability.
|
Impact:
A local user may be able to gain the privileges of the target user running cdrtools.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: cdrecord.berlios.de/old/private/cdrecord.html (Links to External Site)
|
Cause:
Access control error, State error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 29 Mar 2005 23:54:02 -0500
Subject: [none]
|
Javier reported:
> Cdrtools has some code (and default configuration) that suggests users that
> want to debug its behaviour to open up a can of worms associate to insecure
> temporary files usage. The Debug file defined in the configuration will
> just be fopened() without any checks and is thus vulnerable to symlink
> attacks.
CVE: CAN-2005-0866
|
|
