[<prev] [next>] [month] [year] [list]
Date: Mon Jul 4 10:42:12 2005
From: exploits at zataz.net (ZATAZ Audits)
Subject: log4sh insecure temporary file creation
#########################################################
log4sh insecure temporary file creation
Vendor: http://forestent.com/products/log4sh/
Advisory: http://www.zataz.net/adviso/log4sh-06092005.txt
Vendor informed: yes
Exploit available: no
Impact : low
Exploitation : low
#########################################################
The vulnerabilities are caused due to temporary file being created
insecurely.
This can be exploited via symlink attacks in combination to create and
overwrite
arbitrary files with the privileges of the user running the affected script.
##########
Versions:
##########
log4sh <= 1.2.5
##########
Solution:
##########
Use kernel patch such as grsecurity
#########
Timeline:
#########
Discovered : 2005-05-26
Vendor notified : 2005-06-09
Vendor response : no reponse
Vendor fix : no fix
Vendor Sec report (vendor-sec@....de) : 2005-06-27
Disclosure : 2005-07-04
#####################
Technical details :
#####################
Vulnerable code :
-----------------
356 log4sh_readProperties()
357 {
358 _file=$1
359
360 _tmpFile="/tmp/log4sh.$$"
361 grep "^log4sh\." $_file >$_tmpFile
#########
Related :
#########
Gentoo Bugs report : http://bugs.gentoo.org/show_bug.cgi?id=94069
#####################
Credits :
#####################
Eric Romang (eromang@...az.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux