| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 01 Apr 2010 23:30:50 -0400 From: bugs lists <bugs@....dhs.org> To: <full-disclosure@...ts.grok.org.uk> Subject: FileCache: tmp file permission vulnerability. FileCache: tmp file permission vulnerability. Larry W. Cashdollar Vapid Labs http://vapid.dhs.org 2/16/2010 Perl Cache-Cache-1.06 is a memory and file caching module for perl. It stores its default file cache in /tmp with world read/write permissions. A local attacker can use this cache to glean information from applications using module. Regardless of weather the transaction is taking place over an encrypted SSL session. root@...-unix-sec01:/tmp# ls -l --color=no total 200 drwxrwxrwx 3 root root 4096 Feb 10 12:53 FileCache root@...-unix-sec01:/tmp/FileCache/Default# ls -l --color=no total 64 drwxrwxrwx 17 root root 4096 Feb 11 16:10 0 drwxrwxrwx 18 root root 4096 Feb 10 15:50 1 drwxrwxrwx 18 root root 4096 Feb 11 16:11 2 drwxrwxrwx 16 root root 4096 Feb 11 16:09 3 drwxrwxrwx 18 root root 4096 Feb 10 15:51 4 drwxrwxrwx 17 root root 4096 Feb 11 16:09 5 drwxrwxrwx 18 root root 4096 Feb 10 15:51 6 drwxrwxrwx 15 root root 4096 Feb 11 16:09 7 drwxrwxrwx 17 root root 4096 Feb 10 15:51 8 drwxrwxrwx 18 root root 4096 Feb 11 16:10 9 drwxrwxrwx 17 root root 4096 Feb 10 15:51 a drwxrwxrwx 17 root root 4096 Feb 11 16:09 b drwxrwxrwx 17 root root 4096 Feb 11 16:10 c drwxrwxrwx 18 root root 4096 Feb 11 16:11 d drwxrwxrwx 17 root root 4096 Feb 11 16:09 e drwxrwxrwx 16 root root 4096 Feb 11 16:10 f root@...-unix-sec01:/tmp/FileCache/Default/f/f/9# ls -l --color=no total 64 -rw-r--r-- 1 root root 8035 Feb 12 08:39 ff9984b83c656ad4884e116bcf60fdca16be6483 -rw-r--r-- 1 root root 51521 Feb 12 08:37 ff9ebcc002b4067391f0baae96c3e23e8ef248a8 root@...-unix-sec01:/tmp/FileCache/Default/f/f/9# root@...-unix-sec01:/tmp/FileCache/Default/f/f/9# strings ff9984b83c656ad4884e116bcf60fdca16be6483 |more prod-mail-list02.example.com Cache::Object _Size Kv _Expires_At _Key KuZ _Created_At adduser-3.105ubuntu1 apache2-2.2.8-1ubuntu0.11 apache2.2-common-2.2.8-1ubuntu0.11 apache2-mpm-worker-2.2.8-1ubuntu0.11 apache2-utils-2.2.8-1ubuntu0.11 apt-0.7.9ubuntu17.2 aptitude-0.4.9-2ubuntu5 apt-utils-0.7.9ubuntu17.2 at-3.1.10ubuntu4 atsar-1.7-2 base-files-4.0.1ubuntu5.8.04.7 base-passwd-3.5.16 This can be fixed with a simple patch: larry@...zil:~/Desktop/Cache-Cache-1.06/lib/Cache$ diff -Nur FileCache.pm 1 --- FileCache.pm 2009-02-28 19:53:14.000000000 -0500 +++ 1 2010-02-12 21:13:31.000000000 -0500 @@ -35,7 +35,7 @@ # by default, the root of the cache is located in 'FileCache'. On a # UNIX system, this will appear in "/tmp/FileCache/" -my $DEFAULT_CACHE_ROOT = "FileCache"; +my $DEFAULT_CACHE_ROOT = qw(FileCache_) . $>; # by default, the directories in the cache on the filesystem should @@ -43,7 +43,7 @@ # potential security concern, the actual cache entries are written # with the user's umask, thus reducing the risk of cache poisoning -my $DEFAULT_DIRECTORY_UMASK = 000; +my $DEFAULT_DIRECTORY_UMASK = 077; sub Clear Cache::cache is no longer being developed, http://search.cpan.org/~jswartz/CHI-0.34/lib/CHI.pm should be used instead. http://vapid.dhs.org/w/doku.php?id=perl_cache:cache_filecache_permissions_issue _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists