lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200807251218.25478.rbu@gentoo.org>
Date: Fri, 25 Jul 2008 12:18:21 +0200
From: Robert Buchholz <rbu@...too.org>
To: "Jan Minář" <rdancer@...ncer.org>
Cc: full-disclosure@...ts.grok.org.uk,
	"Steven M. Christey" <coley@...us.mitre.org>, bugs@....org,
	bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution

On Friday 25 July 2008, Jan Minář wrote:
> 2008/7/25 Robert Buchholz <rbu@...too.org>:
> > On Friday 18 July 2008, Jan Minář wrote:
> > ...
> >
> >> 3. Vulnerability
> >>
> >> During the build process, a temporary file with a predictable name
> >> is created in the ``/tmp'' directory.  This code is run when Vim
> >> is being build with Python support:
> >>
> >> src/configure.in:
> >>
> >>          677         dnl -- we need to examine Python's
> >> config/Makefile too 678         dnl    see what the interpreter is
> >> built from 679         AC_CACHE_VAL(vi_cv_path_python_plibs,
> >>          680         [
> >>          681             tmp_mkf="/tmp/Makefile-conf$$"
> >>   (1)--> 682             cat ${PYTHON_CONFDIR}/Makefile - <<'eof'
> >>
> >> >${tmp_mkf} 683 __:
> >>
> >>          684         @echo "python_MODLIBS='$(MODLIBS)'"
> >>          685         @echo "python_LIBS='$(LIBS)'"
> >>          686         @echo "python_SYSLIBS='$(SYSLIBS)'"
> >>          687         @echo
> >> "python_LINKFORSHARED='$(LINKFORSHARED)'" 688 eof
> >>          689             dnl -- delete the lines from make about
> >> Entering/Leaving directory
> >>   (2)--> 690             eval "`cd ${PYTHON_CONFDIR} && make -f
> >> ${tmp_mkf} __ | sed '/ directory /d'`"
> >>          691             rm -f ${tmp_mkf}
> >>
> >> The attacker has to create the temporary file
> >> ``/tmp/Makefile-conf<PID>'' before it is first written to at (1). 
> >> In the time between (1) and (2), arbitrary commands can be written
> >> to the file.  They will be executed at (2).
> >
> > The commands do not have to be written there between (1) and (2),
> > they can be in the file long before the ./configure was started --
> > just because the script does care whether it can write to the file
> > at all. So unlike stated in the advisory, and in CVE-2008-3294, the
> > issue does not involve a race condition if the attacker would
> > choose to create a 644 file.
>
> The file gets truncated in (1).  You're wrong, the advisory is right.

Truncation will fail if the configure is not running as root.

Robert

Download attachment "signature.asc " of type "application/pgp-signature" (836 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ