lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 21 Jan 2012 23:14:27 +0100
From: srm <srm@...kless.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: usb_modeswitch/pppd -detach


On Thu, Jan 19, 2012 at 01:07:02AM +0100, srm wrote:
> 
> morrn,
> 
> 
> Impact
> ======
> 
> Low
> 
> 
> Summary
> =======
> 
> When using usb_modeswitch and invoking pppd from wvdial in -detach mode. a /tmp/debug
> file is created. Local Attacker could overwrite arbitrary files.
> 
> 
> Example
> =======
> 
> ,file /tmp/debug
> debug: broken symbolic link to `/etc/nologin'
> 
> Insert stick and connect:
> 
> ,su
> Password:
> ,sh connect >/dev/null
> 
> ,file debug
> debug: symbolic link to `/etc/nologin'
> 
> ,cd /etc && cat nologin
> symlink-name: /devices/pci0000:00/0000:00:1a.7/usb1/1-3/1-3:1.0/ttyUSB0/tty
> 
> ,ls -l nologin
> -rw-r--r-- 1 root root 84 Jan 19 01:11 nologin
> 
> 
> Software
> ========
> archlinux: community/usb_modeswitch 1.2.1-1c
> archlinux: core/ppp 2.4.5-3 (base)
> 
> 
> Please verify. YMMV.
> 
> 
> Greetings
> srm

So, the problem is definitive in the community package of archlinux.
*sigh*. I checked version 1.2.2 from

http://www.draisberghof.de/usb_modeswitch/#download

It doesn't contain the '/tmp/debug' statement.

However: The following version has the debug statement:
https://www.archlinux.org/packages/community/i686/usb_modeswitch/

,grep -n '/tmp/debug' usb_modeswitch.sh
66:             echo "symlink-name: $2" >/tmp/debug


A possible quick fix could be to append $$:
66:             echo "symlink-name: $2" >/tmp/debug.$$

Greetings
srm

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ