[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6edf76c20807241916j39f3f5b2i9d23e9caa49fca0@mail.gmail.com>
Date: Fri, 25 Jul 2008 03:16:00 +0100
From: "Jan Minář" <rdancer@...ncer.org>
To: "Robert Buchholz" <rbu@...too.org>
Cc: full-disclosure@...ts.grok.org.uk,
"Steven M. Christey" <coley@...us.mitre.org>, bugs@....org,
vim-dev@....org, bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
2008/7/25 Robert Buchholz <rbu@...too.org>:
> On Friday 18 July 2008, Jan Minář wrote:
> ...
>> 3. Vulnerability
>>
>> During the build process, a temporary file with a predictable name is
>> created in the ``/tmp'' directory. This code is run when Vim is
>> being build with Python support:
>>
>> src/configure.in:
>>
>> 677 dnl -- we need to examine Python's
>> config/Makefile too 678 dnl see what the interpreter is
>> built from 679 AC_CACHE_VAL(vi_cv_path_python_plibs,
>> 680 [
>> 681 tmp_mkf="/tmp/Makefile-conf$$"
>> (1)--> 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof'
>> >${tmp_mkf} 683 __:
>> 684 @echo "python_MODLIBS='$(MODLIBS)'"
>> 685 @echo "python_LIBS='$(LIBS)'"
>> 686 @echo "python_SYSLIBS='$(SYSLIBS)'"
>> 687 @echo "python_LINKFORSHARED='$(LINKFORSHARED)'"
>> 688 eof
>> 689 dnl -- delete the lines from make about
>> Entering/Leaving directory
>> (2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f
>> ${tmp_mkf} __ | sed '/ directory /d'`"
>> 691 rm -f ${tmp_mkf}
>>
>> The attacker has to create the temporary file
>> ``/tmp/Makefile-conf<PID>'' before it is first written to at (1). In
>> the time between (1) and (2), arbitrary commands can be written to
>> the file. They will be executed at (2).
>
> The commands do not have to be written there between (1) and (2), they
> can be in the file long before the ./configure was started -- just
> because the script does care whether it can write to the file at all.
> So unlike stated in the advisory, and in CVE-2008-3294, the issue does
> not involve a race condition if the attacker would choose to create a
> 644 file.
The file gets truncated in (1). You're wrong, the advisory is right.
HTH
HAND
Jan.
Powered by blists - more mailing lists