[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Gambas 3.3.4 Directory hijack vulnerability
From: "Larry W. Cashdollar" <larry0 () me ! com>
Date: 2013-02-27 17:29:19
Message-ID: db8018fd-f741-42b3-97c6-fcd2fa798272 () me ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Gambas 3.3.4 Directory hijack vulnerability
The gambas software package creates a directory in tmp to work from without verifying another
user hasn't already created it. This allows a local user to hijack ownership. This advisory \
was taken from the bug filed with the developers.
Describe the problem:
Gambas creates a directory in /tmp called gambas.UID where UID is the user id of the person
running the software. Gambas doesn't check to see if a malicious user has already created that
directory.
A malicious user can then manipulate (mv or remove) that directory once gambas has created \
files under it.
larry@aliquot:/tmp$ mkdir gambas.0
larry@aliquot:/tmp$ ls -ld gambas.0
drwxr-xr-x 2 larry staff 4096 2012-12-13 16:37 gambas.0 larry@aliquot:/tmp$ cd gambas.0
larry@aliquot:/tmp/gambas.0$ ls
larry@aliquot:/tmp/gambas.0$ ls -l
total 4
drwx------ 2 root root 4096 2012-12-13 16:37 25257 larry@aliquot:/tmp/gambas.0$ rm -rf 25257 \
larry@aliquot:/tmp/gambas.0$
User larry was able to remove the directory gambas created as root.
2) Software Details
Version: gambas3-runtime-3.3.4~lucid2
Revision:
Operating system: Linux
Distribution: Ubunt
Architecture: x86_64
GUI component: QT3 / QT4 / GTK+
Desktop used: Gnome
3) Provide a little project that reproduces the bug or the crash.
ubuntu-builder runs as root
See bug posted here for details and fix from vendor:
http://code.google.com/p/gambas/issues/detail?id=365
@_larry0 Larry W. Cashdollar
http://otiose.dhs.org
[Attachment #5 (multipart/related)]
[Attachment #7 (text/html)]
<html><body><div><pre><code>Gambas 3.3.4 Directory hijack vulnerability<br><br><br>The gambas \
software package creates a directory in tmp to work from without verifying another <br>user \
hasn't already created it. This allows a local user to hijack ownership. This advisory was \
taken<br>from the bug filed with the developers.<br><br>Describe the problem:<br><br>Gambas \
creates a directory in /tmp called gambas.UID where UID is the user id of the person \
<br>running the software. Gambas doesn't check to see if a malicious user has already created \
that <br>directory.<br><br>A malicious user can then manipulate (mv or remove) that directory \
once gambas has created files <br>under it.<br>larry@aliquot:/tmp$ mkdir \
gambas.0<br>larry@aliquot:/tmp$ ls -ld gambas.0<br>drwxr-xr-x 2 larry staff 4096 2012-12-13 \
16:37 gambas.0 larry@aliquot:/tmp$ cd gambas.0<br>larry@aliquot:/tmp/gambas.0$ \
ls<br>larry@aliquot:/tmp/gambas.0$ ls -l<br>total 4<br>drwx------ 2 root root 4096 2012-12-13 \
16:37 25257 larry@aliquot:/tmp/gambas.0$ rm -rf 25257 larry@aliquot:/tmp/gambas.0$<br><br>User \
larry was able to remove the directory gambas created as root.<br><br>2) Software \
Details<br><br>Version: gambas3-runtime-3.3.4~lucid2<br>Revision:<br>Operating system: \
Linux<br>Distribution: Ubunt<br>Architecture: x86_64<br>GUI component: QT3 / QT4 / \
GTK+<br>Desktop used: Gnome<br><br>3) Provide a little project that reproduces the bug or the \
crash.<br><br>ubuntu-builder runs as root<br><br><br>See bug posted here for details and fix \
from vendor:<br><br>http://code.google.com/p/gambas/issues/detail?id=365<br><br>@_larry0 Larry \
W. Cashdollar<br><br>http://otiose.dhs.org<br></code></pre></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic