Forticlient SSL VPN Symlink Overwrite

2011-05-30T00:00:00
ID PACKETSTORM:101794
Type packetstorm
Reporter magikh0e
Modified 2011-05-30T00:00:00

Description

                                        
                                            `forticlientsslvpn suffers from an insecure lock file creation issue.  
Upon starting the forticlientsslvpn, the file 'forticlientsslvpn.lock'  
is created under the /tmp directory with octal permissions  
0666.   
  
The client does not first check if this file exists, or if it is even  
currently owned by the user running the client.  
  
P.O.C  
Create a symlink from /tmp/forticlientsslvpn.lock  
to /some/file/owned_by_root as a non-root user. Then run the  
forticlientsslvpn client as root and the file you pointed at will then  
be overwritten upon execution.  
  
  
  
`