SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   shtool Vendors:   GNU [multiple authors]
shtool Temporary File May Let Local users gain Elevated Privileges
SecurityTracker Alert ID:  1014059
SecurityTracker URL:  http://securitytracker.com/id/1014059
CVE Reference:   CVE-2005-1751, CVE-2005-1759   (Links to External Site)
Updated:  Jun 14 2005
Original Entry Date:  May 26 2005
Impact:   Modification of system information, Modification of user information, User access via local system

Version(s): 2.0.1 and prior versions
Description:   Eric Romang (ZATAZ) reported a vulnerability in shtool. A local user may be able to gain elevated privileges.

The utility creates temporary files in an unsafe manner [CVE: CVE-2005-1751]. There is a race condition that can be exploited to potentially gain the privileges of the target user running shtool.

Gentoo Security later discovered that once the shtool temporary file is created, it is reused in an unsafe manner [CVE: CVE-2005-1759].

Impact:   A local user may be able to obtain elevated privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.gnu.org/software/shtool/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 7 2005 (Red Hat Issues Fix for PHP) shtool Temporary File May Let Local users gain Elevated Privileges
Red Hat has released a fix.



 Source Message Contents

Subject:  shtool insecure temporary file creation


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#########################################################

shtool insecure temporary file creation

Vendor: http://www.gnu.org/software/shtool/
Advisory: http://www.zataz.net/adviso/shtool-05252005.txt
Vendor informed: no more vendor
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

shtool contain a security flaw wich could allow a
malicious local user to create or overwrite content off arbitrary files
with the right off the user how use shtool.

The vulnerability is a race condition.

A lot off products use shtool, for exemple :

- - ocan-mysql
- - SellaNMS
- - ipcmp
- - OOPSE
- - OpenLDAP
- - PHP
- - OpenPKG
- - others ....

##########
Versions:
##########

shtool <= 2.0.1

##########
Solution:
##########

As I know only Gentoo has provide an update to shtool.
Use mktemp, umask and chmod to create secure temporary file

#########
Timeline:
#########

Discovered : 2005-05-25
Vendor notified : 2005-05-25
Vendor response : no more vendor
Vendor fix :  no vendor fix
Disclosure :  2005-05-25

#####################
Technical details :
#####################

Vulnerable code :
- -----------------

572 #   establish a temporary file on request
573 if [ ".$gen_tmpfile" = .yes ]; then
574     if [ ".$TMPDIR" != . ]; then
575         tmpdir="$TMPDIR"
576     elif [ ".$TEMPDIR" != . ]; then
577         tmpdir="$TEMPDIR"
578     else
579         tmpdir="/tmp"
580     fi
581     tmpfile="$tmpdir/.shtool.$$"
582     rm -f $tmpfile >/dev/null 2>&1
583     touch $tmpfile
584     chmod 600 $tmpfile
585 fi

597 #   cleanup procedure
598 shtool_exit () {
599     rc="$1"
600     if [ ".$gen_tmpfile" = .yes ]; then
601         rm -f $tmpfile >/dev/null 2>&1 || true
602     fi
603     exit $rc
604 }

The gen_tmpfile is used for tarball, subst, scpp ant path actions.

#########
Related :
#########

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=93782

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFClLmIXXuxWE8lDAcRAjXNAJ4tDchC7D3T7dQ/cY4mZ2hb3VYlIwCdHNAc
YCtVQmrCHRBu3l5topwCi28=
=dghw
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC