| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <432ACFE5.1000006@zataz.net> Date: Fri, 16 Sep 2005 16:00:05 +0200 From: ZATAZ Audits <exploits@...az.net> To: vuldb@...urityfocus.com, vuln@...unia.com, vuln@...tik.com, moderators@...db.org, bugs@...uritytracker.com, submissions@...ketstormsecurity.org, news@...uriteam.com, xforce@....net, bugtraq@...urityfocus.com, vulnwatch@...nwatch.org, full-disclosure@...ts.grok.org.uk Cc: "Eric Romang / ZATAZ.com" <eromang@...az.com> Subject: ncompress insecure temporary file creation ######################################################### ncompress insecure temporary file creation Vendor: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/ Advisory: http://www.zataz.net/adviso/ncompress-09052005.txt Vendor informed: yes Exploit available: yes Impact : low Exploitation : low ######################################################### The vulnerability is caused due to temporary file being created insecurely. This can be exploited via symlink attacks in combination with a race condition to create and overwrite arbitrary files with the privileges of the user running the affected script. Secunia has reported that D1g1t4lLeech has discovered this bug the 2005-09-16 ZATAZ Audit has discovered this bug the 2005-09-05 D1g1t4lLeech is a true Leecher :) Gentoo Security take care on your IRC Channel, spy everywhere. ########## Versions: ########## ncompress <= 4.2.4-r1 ########## Solution: ########## To prevent symlink attack use kernel patch such as grsecurity ######### Timeline: ######### Discovered : 2005-09-05 Vendor notified : 2005-09-05 Vendor response : no reponse Vendor fix : no patch Vendor Sec report (vendor-sec@....de) : Disclosure : ##################### Technical details : ##################### ncompress use vulnerable version off zdiff and zcmp. ######### Related : ######### Secunia : http://secunia.com/advisories/13131/ CVE : CAN-2004-0970 ##################### Credits : ##################### Eric Romang (eromang@...az.net - ZATAZ Audit) Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists