lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20041124025903.9337.qmail@www.securityfocus.com> Date: 24 Nov 2004 02:59:03 -0000 From: <advisory@...security.com> To: bugtraq@...urityfocus.com Subject: STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation vulnerability STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation vulnerability Revision 1.2 Date Published: 2004-11-22 (KST) Last Update: 2004-11-22 Disclosed by SSR Team (advisory@...security.com) Summary ======== cscope is an interactive, screen-oriented tool that allows users to browse through C source files for specified elements of code. It is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the right of the user running them, which could be root. Vulnerability Class =================== Design error: insecure temp file handling Details ======= cscope was not designed to handle temp file securely. main.c 332 line /* create the temporary file names */ pid = getpid(); (void) sprintf(temp1, "%s/cscope%d.1", tmpdir, pid); (void) sprintf(temp2, "%s/cscope%d.2", tmpdir, pid); temporary files created with predictable names. /tmp/cscope[pid].1 /tmp/cscope[pid].2 If temp1, temp2 are assigned once, they aren't changed until cscope is terminated. Because cscope uses temp1, temp2 values repeatedly whenever user searches specified element of code, it's trivial to guess the names of temp files. Impact ====== Medium: System file corruption. Workaround ========== Do *NOT* run cscope as the right of root. rexolab's patch isn't the correct patch to this problem. cscope is made with C language, not PHP language, fopen() doesn't support mode 'x' in C library. Affected Products ================ cscope 15.5 and prior Vendor Status: NOT FIXED ======================= 2003-04-03 Vulnerability found by Jeremy Bae(aka opt, *^^*) (http://xsdeny.net/kweblog/stories.php?story=03/04/03/9181080) 2004-11-08 cscope developer notified. 2004-11-17 rexolab released the advisory irresponsibly and incorrectly. 2004-11-22 Official release. Credits ====== Jeremy Bae at STG Security
Powered by blists - more mailing lists