SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   fireHOL Vendors:   firehol.sourceforge.net
FireHOL Unsafe Temporary Files Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1012969
SecurityTracker URL:  http://securitytracker.com/id/1012969
CVE Reference:   CVE-2005-0225   (Links to External Site)
Updated:  Feb 7 2005
Original Entry Date:  Jan 24 2005
Impact:   Modification of system information, Modification of user information, Root access via local system, User access via local system

Version(s): 1.214
Description:   A vulnerability was reported in FireHOL. A local user may be able to gain elevated privileges.

Sam Couter reported that FireHOL uses temporary files with known filenames in a temporary directory that has a predicatble name based on the process ID.

A local user can create a symbolic link (symlink) from a critical file on the system to a temporary file to be used by FireHOL. Then, when a target user runs FireHOL, the symlinked file may be overwritten with the privileges of the target user.

Impact:   A local user may be able to gain elevated privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  firehol.sourceforge.net/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 2 2005 (Gentoo Issues Fix) FireHOL Unsafe Temporary Files Let Local Users Gain Elevated Privileges
Gentoo has released a fix.



 Source Message Contents

Subject:  firehol: insecure temporary directory handling


Both firehol and firehol-wizard use known temporary file names in a
predictably named temporary directory (PID-based).

Neither program ensures that those directories are safe before blasting
the contents of files within. An attacker can place carefully named
symlinks in the directory and overwrite or corrupt many files on the
system.

I have exploited this (it's trivial if even I can do it).

Security team says:
"You may add that if the author/maintainer doesn't know how to fix
the problem either, they should not hesitate to contact us."
-- 
Sam "Eddie" Couter  |  mailto:sam@couter.dropbear.id.au
Debian Developer    |  mailto:eddie@debian.org
                    |  jabber:sam@teknohaus.dyndns.org
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC