Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Multimedia)  >   cplay Vendors:   Betlehem, Ulf
cplay Temporary Files May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1010574
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 23 2004
Impact:   Modification of system information, Modification of user information, User access via local system
Exploit Included:  Yes  
Version(s): 1.49
Description:   A vulnerability was reported in cplay in the processing of temporary files. A local user may be able to gain elevated privileges.

Martin Michlmayr reported that cplay creates a temporary file (/var/tmp/cplay_control) in an unsafe manner. A local user can create a symbolic link (symlink) from a critical file on the system to the temporary file. Then, when cplay is run, cplay will write commands to the temporary file with the privileges of the target user running cplay.

Impact:   A local user may be able to gain elevated privileges on the target system.
Solution:   No upstream solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  cplay has bad /tmp handling

Package: cplay
Severity: important

----- Forwarded message from Matt Zimmerman <> -----

From: Matt Zimmerman <>
Subject: Re: /tmp handling in cplay

On Mon, Apr 12, 2004 at 03:10:50PM +0100, Martin Michlmayr wrote:
 > Can you please take al look at the /tmp handling of cplay.  It creates
 > a FIFO there so other programs can control cplay and tell it which
 > songs to play.  cplay is in the archive, search for CONTROL_FIFO in
 > /usr/bin/cplay.  Thanks.

CONTROL_FIFO = "/var/tmp/cplay_control"
         try: self.fd = open(CONTROL_FIFO, "rb+", 0)

/var/tmp/cplay_control could be created by any user (/var/tmp is +w) as a
symlink to an existing file only writable by the target user, which would
have commands written to it with the target user's privileges when they use
the control mechanism.

Since the contents cannot be controlled by the attacker, there are few
scenarios where this could be a privilege escalation, but there are plenty
of DoS possibilities.

The right fix would be to create a unique subdirectory of TMPDIR (perhaps
with the uid/username in it), only writable by the user himself, and place
the fifo there.  See gconfd, orbit, ssh, etc.

I just ran out of CVE candidates and have asked for more; once I have them,
I'll assign one to this vulnerability.

  - mdz

----- End forwarded message -----

Martin Michlmayr


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC