Cscope Tempfile Symlink Arbitrary File Deletion

2004-11-08T17:23:00
ID OSVDB:11919
Type osvdb
Reporter Jeremy Bae(swbae@stgsecurity.com)
Modified 2004-11-08T17:23:00

Description

Vulnerability Description

Cscope contains a flaw that may allow a malicious user to predict an upcoming temporary filename and use a symlink attack to cause corruption and removal of arbitrary system files. The product utilizes the directory found in the environment variable "TMPDIR" to store it's temporary files. During creation of these temporary files, cscope adheres to a predictable naming scheme for the filenames and does not check for an existing file by the chosen name. This issue may result in a loss of integrity.

Technical Description

This vulnerabile code in main.c creates temporary files with predictable filenames in a predictable location without checking for the prior existance of the file:

main.c: char temp1 [PATHLEN + 1]; / temporary file name / char temp2 [PATHLEN + 1]; / temporary file name /

main.c: main(): tmpdir = mygetenv("TMPDIR", TMPDIR); ... / create the temporary file names / pid = getpid(); (void) sprintf(temp1, "%s/cscope%d.1", tmpdir, pid); (void) sprintf(temp2, "%s/cscope%d.2", tmpdir, pid);

This above code will create filenames of the format "cscope[pid].[#]" in the directory found in the environment variable "TMPDIR", such as "/tmp/cscope1432.1", "/tmp/cscope1432.2", etc. An attacker may symlink the next tempfile name in the predictable sequence to an arbitrary file, which Cscope will then corrupt and eventually remove if run by a user with enough permissions to do so to the symlinked target file. If Cscope is run as root, any file on the system may be corrupted and removed upon Cscope's exit:

main.c: myexit(): / remove any temporary files / if (temp1[0] != '\0') { (void) unlink(temp1); (void) unlink(temp2); }

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: -a user setting his/her "TMPDIR" environment variable to a more trusted location such as "~/tmp" should mitigate some risk.

Short Description

Cscope contains a flaw that may allow a malicious user to predict an upcoming temporary filename and use a symlink attack to cause corruption and removal of arbitrary system files. The product utilizes the directory found in the environment variable "TMPDIR" to store it's temporary files. During creation of these temporary files, cscope adheres to a predictable naming scheme for the filenames and does not check for an existing file by the chosen name. This issue may result in a loss of integrity.

References:

Vendor URL: http://cscope.sourceforge.net/ Vendor Specific News/Changelog Entry: http://sourceforge.net/tracker/index.php?func=detail&aid=1062807&group_id=4664&atid=104664 Security Tracker: 1012257 Secunia Advisory ID:13488 Secunia Advisory ID:13237 Secunia Advisory ID:14876 Secunia Advisory ID:26235 Secunia Advisory ID:13503 Secunia Advisory ID:13521 Other Advisory URL: http://sourceforge.net/tracker/index.php?func=detail&aid=1062807&group_id=4664&atid=104664 Other Advisory URL: http://www.rexotec.com/advisory/RX171104.html Other Advisory URL: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.11/SCOSA-2005.11.txt Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200412-11.xml Other Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.21/SCOSA-2004.21.txt Other Advisory URL: http://www.debian.org/security/2004/dsa-610 Other Advisory URL: http://docs.info.apple.com/article.html?artnum=306172 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-11/1073.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-11/0223.html ISS X-Force ID: 18125 Generic Exploit URL: http://www.rexotec.com/advisory/RX171104.html Generic Exploit URL: http://www.securityfocus.com/data/vulnerabilities/exploits/RXcscope_proof.sh Generic Exploit URL: http://www.securityfocus.com/data/vulnerabilities/exploits/RXcscope_proof.c CVE-2004-0996 Bugtraq ID: 11697