lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CABjHU=4QVaGEYkd_1456fNfAEb+zJDMT-Pham2o_ymaCKKEO=w@mail.gmail.com>
Date: Wed, 4 Jun 2014 17:50:13 -0400
From: A B <icanbenchpressmykeyboard@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] More /tmp fun (PHP, Lynis)

After reading about today's "Check, rootkit" vulnerability (CVE-2014-0476),
I thought I'd share these stupid bugs:

BUG #1 - PHP's ./configure script writes a predictable filename to /tmp
allowing for a symlink attack against the user running the script

>From PHP 5.5.13:

 18045 #include <stdio.h>
 18046 int main(int argc, char *argv[])
 18047 {
 18048   FILE *fp;
 18049   long position;
 18050   char *filename = "/tmp/phpglibccheck";
 18051
 18052   fp = fopen(filename, "w");
 18053   if (fp == NULL) {
 18054     perror("fopen");
 18055     exit(2);
 18056   }
 18057   fputs("foobar", fp);
 18058   fclose(fp);
 18059
 18060   fp = fopen(filename, "a+");
 18061   position = ftell(fp);
 18062   fclose(fp);
 18063   unlink(filename);
 18064   if (position == 0)
 18065   return 1;
 18066   return 0;
 18067 }

Reported to security@....net twice, no response ever received:
  September 22, 2012
  January 8, 2013

This issue goes back at least 10+ years, but no one configures/compiles PHP
as root and your files aren't important anyway.


BUG #2 - Lynis 1.5.4 (and presumably earlier) writes a predictable filename
to /tmp allowing for a symlink attack against the user running the script
Website: rootkit.nl

This utility, which is similar in nature to "chkrootkit" and "rkhunter" and
must be run as root, also writes a predictable filename to /tmp (you'll
have to win a race for this one). Unreported, because this is security
software. Therefore it is secure. (The logic is intentional. What's to
report?)

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ