lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <6edf76c20807171554n255ccd8cka58ca41dc1fca7b0@mail.gmail.com>
Date: Thu, 17 Jul 2008 23:54:18 +0100
From: "Jan Minář" <rdancer@...ncer.org>
To: bugs@....org, vim-dev@....org, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com
Subject: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution

1. Summary

Product  : Vim -- Vi IMproved
Versions : 5.0--current, possibly older; 4.6 and 3.0 not vulnerable
Impact   : Arbitrary code execution
Wherefrom: Local
Original : http://www.rdancer.org/vulnerablevim-configure.in.html
           http://www.rdancer.org/vulnerablevim-configure.in.patch

Insecure temporary file creation during the build process is vulnerable
to symbolic link attacks, and arbitrary code execution.  Patch provided.


2. Background

``Vim is an almost compatible version of the UNIX editor Vi.  Many new
features have been added: multi-level undo, syntax highlighting, command
line history, on-line help, spell checking, filename completion, block
operations, etc.''
	-- VIM ``README.txt''


3. Vulnerability

During the build process, a temporary file with a predictable name is
created in the ``/tmp'' directory.  This code is run when Vim is being
build with Python support:

src/configure.in:

         677         dnl -- we need to examine Python's config/Makefile too
         678         dnl    see what the interpreter is built from
         679         AC_CACHE_VAL(vi_cv_path_python_plibs,
         680         [
         681             tmp_mkf="/tmp/Makefile-conf$$"
  (1)--> 682             cat ${PYTHON_CONFDIR}/Makefile - <<'eof' >${tmp_mkf}
         683 __:
         684         @echo "python_MODLIBS='$(MODLIBS)'"
         685         @echo "python_LIBS='$(LIBS)'"
         686         @echo "python_SYSLIBS='$(SYSLIBS)'"
         687         @echo "python_LINKFORSHARED='$(LINKFORSHARED)'"
         688 eof
         689             dnl -- delete the lines from make about
Entering/Leaving directory
  (2)--> 690             eval "`cd ${PYTHON_CONFDIR} && make -f
${tmp_mkf} __ | sed '/ directory /d'`"
         691             rm -f ${tmp_mkf}

The attacker has to create the temporary file
``/tmp/Makefile-conf<PID>'' before it is first written to at (1).  In
the time between (1) and (2), arbitrary commands can be written to the
file.  They will be executed at (2).


3. Test Case

No test case.


4. Patch

Patch fixing this vulnerability can be found at the following URL:

           http://www.rdancer.org/vulnerablevim-configure.in.patch

Please note: The patch fixes ``src/configure.in'', an input file used by
the ``autoconf'' command.  ``autoconf'' uses this input file to create
``src/auto/configure''.  It is necessary to remove the latter, if
present, to force its recreation.  Otherwise, further build runs will
still use it, and the vulnerability will still be present.


5. Copyright

This advisory is Copyright 2008 Jan Minar <rdancer@...ncer.org>

Copying welcome, under the Creative Commons ``Attribution-Share Alike''
License http://creativecommons.org/licenses/by-sa/2.0/uk/

Code included herein, and accompanying this advisory, may be copied
according to the GNU General Public License version 2, or the Vim
license.  See the subdirectory ``licenses''.

Various portions of the accompanying code were written by various
parties.  Those parties may hold copyright, and those portions may be
copied according to their respective licenses.


6. History

2008-07-17 Sent to: <bugs@....org>, <vim-dev@....org>
	   <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com>

View attachment "vulnerablevim-configure.in.patch" of type "text/x-patch" (1163 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ