lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20041124025903.9337.qmail@www.securityfocus.com>
Date: 24 Nov 2004 02:59:03 -0000
From: <advisory@...security.com>
To: bugtraq@...urityfocus.com
Subject: STG Security Advisory: [SSA-20041122-09] cscope insecure temp
    file creation vulnerability




STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation
vulnerability

Revision 1.2
Date Published: 2004-11-22 (KST)
Last Update: 2004-11-22
Disclosed by SSR Team (advisory@...security.com)

Summary
========
cscope is an interactive, screen-oriented tool that allows users to
browse through C source files for specified elements of code.

It is vulnerable to symlink attacks, potentially allowing a local user to
overwrite arbitrary files with the right of the user running them, which
could be root.


Vulnerability Class
===================
Design error: insecure temp file handling


Details
=======
cscope was not designed to handle temp file securely.

main.c 332 line
   /* create the temporary file names */
   pid = getpid();
   (void) sprintf(temp1, "%s/cscope%d.1", tmpdir, pid);
   (void) sprintf(temp2, "%s/cscope%d.2", tmpdir, pid);

temporary files created with predictable names.
/tmp/cscope[pid].1
/tmp/cscope[pid].2

If temp1, temp2 are assigned once, they aren't changed until cscope is
terminated. Because cscope uses temp1, temp2  values repeatedly whenever user
searches specified element of code, it's trivial to guess the names of temp
files.

Impact
======
Medium: System file corruption.

Workaround
==========
Do *NOT* run cscope as the right of root.

rexolab's patch isn't the correct patch to this problem.
cscope is made with C language, not PHP language, fopen() doesn't support
mode 'x' in C library.

Affected Products
================
cscope 15.5 and prior

Vendor Status: NOT FIXED
=======================
2003-04-03 Vulnerability found by Jeremy Bae(aka opt, *^^*)
(http://xsdeny.net/kweblog/stories.php?story=03/04/03/9181080)
2004-11-08 cscope developer notified.
2004-11-17 rexolab released the advisory irresponsibly and incorrectly.
2004-11-22 Official release.

Credits
======
Jeremy Bae at STG Security

Powered by blists - more mailing lists