| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 06 Jun 2005 10:31:15 +0200
From: Eric Romang / DATACENTER Luxembourg <eromang@...ux.com>
To: vuldb@...urityfocus.com, vuln@...unia.com, vuln@...tik.com,
moderators@...db.org, bugs@...uritytracker.com,
submissions@...ketstormsecurity.org, news@...uriteam.com,
xforce@....net, bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
full-disclosure@...ts.grok.org.uk
Subject: everybuddy <= 0.4.3 insecure temporary file
creation
#########################################################
everybuddy insecure temporary file creation
Vendor: http://www.everybuddy.com/ (no more vendor URL)
Advisory: http://www.zataz.net/adviso/everybuddy-06062005.txt
Vendor informed: no more vendor
Exploit available: yes
Impact : low
Exploitation : low
#########################################################
The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks in combination to create and
overwrite
arbitrary files with the privileges of the user running the affected script.
##########
Versions:
##########
everybuddy <= 0.4.3
##########
Solution:
##########
Don't use this tool
#########
Timeline:
#########
Discovered : 2005-05-30
Vendor notified : no more vendor
Vendor response : no more vendor
Vendor fix : no fix
Disclosure : 2005-06-06
#####################
Technical details :
#####################
Vulnerable code :
-----------------
modules/utility/autotrans.c
258 g_snprintf(buf, 2048, "rm /tmp/.eb.%s.translator -f ; wget -O
/tmp/.eb.%s.translator
'http://world.altavista.com/sites/gben/pos/babelfish/tr?tt=urltext&lp=%s_%s&urltext=%s'",
259 getenv("USER"), getenv("USER"), from, to, string);
260
261 printf("Running command line:\n%s\n", buf);
262
263 if(system(buf)!=0)
264 {
265 printf("COULD NOT TRANSLATE: %s\n", ostring);
266 free(string);
267 return strdup(ostring);
268 }
269
270 g_snprintf(buf, 2048, "/tmp/.eb.%s.translator", getenv("USER"));
271
272 if((dat=fopen(buf, "r"))==NULL)
273 {
274 printf("COULD NOT TRANSLATE: %s\n", ostring);
275 free(string);
276 return strdup(ostring);
277 }
278
279 pos=0;
280
281 while(!feof(dat))
282 {
283 for(a=0; a<3; a++)
284 {
285 lastfew[a]=lastfew[a+1];
286 }
287 lastfew[3]=(char)getc(dat);
288
289 if(printing>=1)
290 {
291 buf[pos++]=lastfew[3];
292 if(pos==1023) { buf[pos]='\0'; break; }
293 }
294
295 if(!strcmp(lastfew, "</TE"))
296 {
297 printf("Found end\n");
298 if (pos >= 5) {
299 buf[pos-4]='\0';
300 printing++;
301 while(pos>=5 && (buf[pos-5]=='\n' || buf[pos-5]=='\r'))
302 {
303 buf[pos-5]='\0';
304 pos--;
305 }
306 }
307 break;
308 }
#########
Related :
#########
Gentoo Bugs report : http://bugs.gentoo.org/show_bug.cgi?id=94473
#####################
Credits :
#####################
Eric Romang (eromang@...az.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)
----------------------------------------------------------------------------
This e-mail and any attached files are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail by mistake, please notify the sender immediately and delete it from your system. You must not copy the message or disclose its contents to anyone.
----------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists