SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   Everybuddy Vendors:   everybuddy.com
Everybuddy Unsafe Temporary File Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1014110
SecurityTracker URL:  http://securitytracker.com/id/1014110
CVE Reference:   CVE-2005-1880   (Links to External Site)
Updated:  Jun 9 2005
Original Entry Date:  Jun 6 2005
Impact:   User access via local system

Version(s): 0.4.3 and prior versions
Description:   Eric Romang from ZATAZ Audit reported a vulnerability in Everybuddy. A local user can gain elevated privileges.

The 'modules/utility/autotrans.c' file creates a temporary file in an unsafe manner. A local user can create a symbolic link (symlink) from a critical file on the system to the temporary file. Then, when the target user runs the application, the symlinked file may be overwritten with the privileges of the target user.

The original advisory is available at:

http://www.zataz.net/adviso/everybuddy-06062005.txt

Impact:   A local user can gain the privileges of the target user running the application.
Solution:   No solution was available at the time of this entry.

[Editor's note: The vendor's web site was not in operation at the time of this entry.]

Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  everybuddy <= 0.4.3 insecure temporary file creation



#########################################################

everybuddy insecure temporary file creation

Vendor: http://www.everybuddy.com/ (no more vendor URL)
Advisory: http://www.zataz.net/adviso/everybuddy-06062005.txt
Vendor informed: no more vendor
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks in combination  to create and overwrite
arbitrary files with the privileges of the user running the affected script.

##########
Versions:
##########

everybuddy <= 0.4.3

##########
Solution:
##########

Don't use this tool

#########
Timeline:
#########

Discovered : 2005-05-30
Vendor notified : no more vendor
Vendor response : no more vendor
Vendor fix : no fix
Disclosure : 2005-06-06

#####################
Technical details :
#####################

Vulnerable code :
-----------------

modules/utility/autotrans.c

258   g_snprintf(buf, 2048, "rm /tmp/.eb.%s.translator -f ; wget -O /tmp/.eb.%s.translator 
'http://world.altavista.com/sites/gben/pos/babelfish/tr?tt=urltext&lp=%s_%s&urltext=%s'",
259     getenv("USER"), getenv("USER"), from, to, string);
260
261   printf("Running command line:\n%s\n", buf);
262
263   if(system(buf)!=0)
264   {
265     printf("COULD NOT TRANSLATE: %s\n", ostring);
266     free(string);
267     return strdup(ostring);
268   }
269
270   g_snprintf(buf, 2048, "/tmp/.eb.%s.translator", getenv("USER"));
271
272   if((dat=fopen(buf, "r"))==NULL)
273   {
274     printf("COULD NOT TRANSLATE: %s\n", ostring);
275     free(string);
276     return strdup(ostring);
277   }
278
279   pos=0;
280
281   while(!feof(dat))
282   {
283     for(a=0; a<3; a++)
284     {
285       lastfew[a]=lastfew[a+1];
286     }
287     lastfew[3]=(char)getc(dat);
288
289     if(printing>=1)
290     {
291       buf[pos++]=lastfew[3];
292       if(pos==1023) { buf[pos]='\0'; break; }
293     }
294
295     if(!strcmp(lastfew, "</TE"))
296     {
297       printf("Found end\n");
298       if (pos >= 5) {
299         buf[pos-4]='\0';
300         printing++;
301         while(pos>=5 && (buf[pos-5]=='\n' || buf[pos-5]=='\r'))
302         {
303           buf[pos-5]='\0';
304           pos--;
305         }
306       }
307       break;
308     }

#########
Related :
#########

Gentoo Bugs report : http://bugs.gentoo.org/show_bug.cgi?id=94473

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)

----------------------------------------------------------------------------
This e-mail and any attached files are confidential and intended solely for the use 
of the individual or entity to whom they are addressed. If you have received this 
e-mail by mistake, please notify the sender immediately and delete it from your 
system. You must not copy the message or disclose its contents to anyone.

----------------------------------------------------------------------------
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC