cplay Temporary Files May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1010574|
SecurityTracker URL: http://securitytracker.com/id/1010574
(Links to External Site)
Date: Jun 23 2004
Modification of system information, Modification of user information, User access via local system|
Exploit Included: Yes |
A vulnerability was reported in cplay in the processing of temporary files. A local user may be able to gain elevated privileges.|
Martin Michlmayr reported that cplay creates a temporary file (/var/tmp/cplay_control) in an unsafe manner. A local user can create a symbolic link (symlink) from a critical file on the system to the temporary file. Then, when cplay is run, cplay will write commands to the temporary file with the privileges of the target user running cplay.
A local user may be able to gain elevated privileges on the target system.|
No upstream solution was available at the time of this entry.|
Vendor URL: www.tf.hut.fi/~flu/cplay/ (Links to External Site)
Access control error, State error|
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: cplay has bad /tmp handling|
----- Forwarded message from Matt Zimmerman <email@example.com> -----
From: Matt Zimmerman <firstname.lastname@example.org>
Subject: Re: /tmp handling in cplay
On Mon, Apr 12, 2004 at 03:10:50PM +0100, Martin Michlmayr wrote:
> Can you please take al look at the /tmp handling of cplay. It creates
> a FIFO there so other programs can control cplay and tell it which
> songs to play. cplay is in the archive, search for CONTROL_FIFO in
> /usr/bin/cplay. Thanks.
CONTROL_FIFO = "/var/tmp/cplay_control"
try: self.fd = open(CONTROL_FIFO, "rb+", 0)
/var/tmp/cplay_control could be created by any user (/var/tmp is +w) as a
symlink to an existing file only writable by the target user, which would
have commands written to it with the target user's privileges when they use
the control mechanism.
Since the contents cannot be controlled by the attacker, there are few
scenarios where this could be a privilege escalation, but there are plenty
of DoS possibilities.
The right fix would be to create a unique subdirectory of TMPDIR (perhaps
with the uid/username in it), only writable by the user himself, and place
the fifo there. See gconfd, orbit, ssh, etc.
I just ran out of CVE candidates and have asked for more; once I have them,
I'll assign one to this vulnerability.
----- End forwarded message -----