[Full-disclosure] -advisory- * [Thu Mar 16 14:08:07 EST 2006] * DoS Vulnerability in Microsoft Excel
-advisory- * [Thu Mar 16 14:08:07 EST 2006] * DoS Vulnerability in Microsoft Excel == [+] DESCRIPTION Sending a specially crafted malformed packet to the services communication socket can create a loss of service. == [+] HISTORY 16-3-2006 [+] Public Disclosure. == [+] WORKAROUND There has had been no workarounds. == [+] VENDOR RESPONSE Microsoft Excel was offered no identified commentary regarding the problem at hand. == [+] CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-62138 to this issue == APPENDIX A VENDOR INFORMATION http://www.microsoft.com == CONTACT ZATAZ Audits [EMAIL PROTECTED] 1-888-565-9428 BEWARE THE JIZZTAPO!!! .. _ .' `. /\) / / / / /\ \ \ / \ _ \ \/ /\ \ (/\ \ / \ \ \ \ / \ (Y ) \ \/ /\ \ \ / \ \ \/ / / / / ( Y) GSAE CEH SSP-CNSA SSP-MPA GIPS GHTQ SSCP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory 2006-03-11Local Privilege Escalation Vulnerability in AOL Client Software
Advisory 2006-03-11 Local Privilege Escalation Vulnerability in AOL Client Software I. BACKGROUND Advisory marked for immediate release. II. DESCRIPTION AOL Client Software incorrectly validates user input III. HISTORY This advisory has no history. IV. WORKAROUND There are no known workarounds. V. VENDOR RESPONSE AOL Client Software has not commented on this issue. VI. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-636555 to this issue. APPENDIX A. - Vendor Information http://www.aol.com APPENDIX B. - References NONE CONTACT: *ZATAZ Audits [EMAIL PROTECTED] *1-888-LOL-WHAT *CISSP GSAE CCE CEH CSFA GREM SSP-CNSA SSP-MPA GIPS GHTQ GWAS ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] flexbackup default config insecure temporary file creation
#
flexbackup default config insecure temporary file creation
Vendor: http://flexbackup.sourceforge.net/
Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#
The vulnerabilities ared due to insecure temporary files creations due
to a default config.
They are symlink attacks to create arbitrary files with the privileges
of the user running the affected script, sensitive informations
disclosure, possible local or remote arbitrary commands execution.
##
Versions:
##
flexbackup = 1.2.1
##
Solution:
##
Change default config $tmpdir
#
Timeline:
#
Discovered : 2005-09-06
Vendor notified : 2005-09-19
Vendor response : none
Vendor fix : none
Vendor Sec report ([EMAIL PROTECTED]) : 2005-09-30
Disclosure : 2005-10-15
#
Technical details :
#
Vulnerable code :
-
* In /etc/flexbackup.conf :
$tmpdir = '/tmp';
* Into flexbackup :
checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');
If tmpdir is not defined /tmp is used by default, but here into conf
file tmpdir is by default set to /tmp
5229 my $tmp_script = $cfg::tmpdir/buftest.$host.$PROCESS_ID.sh;
5236 # Create a script which tests the buffer program
5237 open(SCR, $tmp_script) || die;
5238 print SCR #!/bin/sh\n;
5239 print SCR tmp_data=/tmp/bufftest\$\$.txt\n;
5240 print SCR tmp_err=/tmp/bufftest\$\$.err\n;
5241 print SCR echo testme \$tmp_data\n;
5242 print SCR $buffer_cmd /dev/null 2 \$tmp_err \$tmp_data\n;
5243 print SCR res=\$?\n;
5244 print SCR out=\`cat \$tmp_err\`\n;
5245 print SCR if [ \$res -eq 0 ]; then\n;
5246 print SCRecho successful\n;
5247 print SCR else\n;
5248 print SCRecho \unsuccessful: exit code \$res: \$out\ \n;
5249 print SCR fi\n;
5250 print SCR rm -f \$tmp_data \$tmp_err\n;
5251 close(SCR);
Here we have possible symlink attack (race condition), and also
possibility to create a untrusted script into the tmp_script (race
condition).
The script how is created is also vulnerable to possible symlink attack
(race condition).
5253 if ($host eq 'localhost') {
5254 print $::msg | Checking '$cfg::buffer' on this machine... ;
5255 $pipecmd = sh $tmp_script ;
5256 } else {
5257 print $::msg | Checking '$cfg::buffer' on host $host... ;
5258 $pipecmd = cat $tmp_script | ($::remoteshell $host 'cat
$tmp_script; sh $tmp_script; rm -f $tmp_script');
We see here that the untrusted script could be executed on localhost or
remote
host.
5446 my $tmp1 = $cfg::tmpdir/test1.$PROCESS_ID;
5447 my $tmp2 = $cfg::tmpdir/test2.$PROCESS_ID;
5448 my $tmp3 = $cfg::tmpdir/test3.$PROCESS_ID;
Here the $cfg::pad_blocks should be false to exploit the possible
symlink attack (race condition). By default in the conf file pad_blocks
is true. No risk if no configuration modification.
359 if (defined($::pkgdelta)) {
360 if (defined($::local)) {
361 list_packages('localhost');
362 find_packaged_files('localhost');
363 find_changed_files('localhost');
364 }
365 foreach my $host (keys %::remotehosts) {
366 list_packages($host);
367 find_packaged_files($host);
368 find_changed_files($host);
369 }
370 $::pkgdelta_filelist = $cfg::tmpdir/pkgdelta.$PROCESS_ID;
371 line();
372 }
Here we have possible symlink attack (race condition)
619 my $exitscript = $cfg::tmpdir/collectexit.$PROCESS_ID.sh;
620 my $result = $cfg::tmpdir/exitstatus.$PROCESS_ID;
841 unlink($result);
842 open(SCR, $exitscript) || die;
843 print SCR '#!/bin/sh' . \n;
844 print SCR '$@' . \n;;
845 print SCR '[ $? = 0 ] || echo $@ ' . $result . \n;
846 close(SCR);
847 chmod(0755, $exitscript);
848
849 push(@cmds, [ ! -e $result ]);
850 }
This one is more difficult to race.
#
Related :
#
Bug report : http://bugs.gentoo.org/show_bug.cgi?id=105000
CVE : CAN-2005-2965
#
Credits :
#
Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] apachetop insecure temporary file creation
#
apachetop insecure temporary file creation
Vendor: http://clueful.shagged.org/apachetop/
Advisory: http://www.zataz.net/adviso/apachetop-09022005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#
The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks in combination to create and
overwrite arbitrary files with the privileges of the user running the
affected script.
##
Versions:
##
apachetop = 0.12.5
##
Solution:
##
Apply : apachetop_CAN-2005-2660.patch
Patch from Steve Kemp (Debian)
http://bugs.gentoo.org/attachment.cgi?id=69342
#
Timeline:
#
Discovered : 2005-09-02
Vendor notified : 2005-09-02
Vendor response : no reponse
Vendor fix : no patch
Vendor Sec report ([EMAIL PROTECTED]) : 2005-09-13
Disclosure : 2005-09-30
#
Technical details :
#
Vulnerable code :
-
ake a look at : src/apachetop.h
247 #define DEBUG_OUTPUT /tmp/atop.debug
Then in : src/apachetop.cc
85 cf.debug = true;
1103 int dprintf(const char *fmt, ...) /* {{{ */
1104 {
1105 FILE *d;
1106 va_list args;
1107
1108 if (cf.debug (d = fopen(DEBUG_OUTPUT, a)))
1109 {
1110 va_start(args, fmt);
vfprintf(d, fmt, args);
1112 fclose(d);
1113 va_end(args);
1114 }
1115
1116 return 0;
1117 } /* }}} */
#
Related :
#
Bug report : http://bugs.gentoo.org/show_bug.cgi?id=104473
CVE : CAN-2005-2660
#
Credits :
#
Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit) - Gentoo security scout
Thxs to Gentoo Security Team.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ncompress insecure temporary file creation
# ncompress insecure temporary file creation Vendor: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/ Advisory: http://www.zataz.net/adviso/ncompress-09052005.txt Vendor informed: yes Exploit available: yes Impact : low Exploitation : low # The vulnerability is caused due to temporary file being created insecurely. This can be exploited via symlink attacks in combination with a race condition to create and overwrite arbitrary files with the privileges of the user running the affected script. Secunia has reported that D1g1t4lLeech has discovered this bug the 2005-09-16 ZATAZ Audit has discovered this bug the 2005-09-05 D1g1t4lLeech is a true Leecher :) Gentoo Security take care on your IRC Channel, spy everywhere. ## Versions: ## ncompress = 4.2.4-r1 ## Solution: ## To prevent symlink attack use kernel patch such as grsecurity # Timeline: # Discovered : 2005-09-05 Vendor notified : 2005-09-05 Vendor response : no reponse Vendor fix : no patch Vendor Sec report ([EMAIL PROTECTED]) : Disclosure : # Technical details : # ncompress use vulnerable version off zdiff and zcmp. # Related : # Secunia : http://secunia.com/advisories/13131/ CVE : CAN-2004-0970 # Credits : # Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit) Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Message for D1g1t4lLeech ZATAZ Audit has discovered this bug the 2005-09-05 D1g1t4lLeech you are a true Leecher ;)
Hello Mister D1g1t4lLeech, You are not able to find by yourself security holes ;) So you leech other people research. Go back to you kazaa leech. Secunia you continu to don't respect vendor release date ;) Bye ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] gtkdiskfree insecure temporary file creation
#
gtkdiskfree insecure temporary file creation
Vendor: http://gtkdiskfree.tuxfamily.org/ (no more avaible)
Advisory: http://www.zataz.net/adviso/gtkdiskfree-09052005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#
The vulnerability is caused due to temporary file being created
insecurely. This can be exploited via symlink attacks to create and
overwrite arbitrary files with the privileges of the user running the
affected script.
##
Versions:
##
gtkdiskfree = 1.9.3
##
Solution:
##
To prevent symlink attack use kernel patch such as grsecurity
#
Timeline:
#
Discovered : 2005-09-02
Vendor notified : 2005-09-05
Vendor response : no reponse
Vendor fix : no patch
Vendor Sec report ([EMAIL PROTECTED]) : 2005-09-05
Disclosure : 2005-09-15
#
Technical details :
#
Vulnerable code :
-
Take a look at : src/mount.h
23 #define TUBE_NAME/tmp/gtkdiskfree
Then to : src/mount.c
32 open_cmd_tube (const gchar *cmd, const gchar *mount_point)
33 {
34 gint status;
35 gchar error[MAXLINE], *line;
36 FILE *sh, *tmp;
37
38 setbuf(stdout, error);
39 line = g_strconcat(cmd, , mount_point, , TUBE_NAME,
NULL);
40 sh = popen(line, r);
41 g_free(line);
42
43 status = pclose(sh);
44
45 if (status == 0) {
46 remove(TUBE_NAME);
47 gui_list_main_update(GTK_TREE_VIEW(list_treeview));
48
49 return;
50 } else {
51 if ((tmp = fopen(TUBE_NAME, r)) == NULL) {
52
gui_list_main_update(GTK_TREE_VIEW(list_treeview));
53
54 return;
55 }
56 if (fgets(error, MAXLINE-1, tmp) == NULL) {
57 fclose(tmp);
58 remove(TUBE_NAME);
59
gui_list_main_update(GTK_TREE_VIEW(list_treeview));
60
61 return;
62 }
63 fclose(tmp);
64 remove(TUBE_NAME);
65 error_window(error);
66 }
67 gui_list_main_update(GTK_TREE_VIEW(list_treeview));
68
69 return;
70 }
#
Related :
#
Bug report : http://bugs.gentoo.org/show_bug.cgi?id=104565
CVE : No CVE
#
Credits :
#
Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ekg insecure temporary file creation and arbitrary code execution
#
ekg insecure temporary file creation and arbitrary code execution
Vendor: http://dev.null.pl/ekg/
Advisory: http://www.zataz.net/adviso/ekg-06062005.txt
Vendor informed: yes
Exploit available: no
Impact : high
Exploitation : high
#
The vulnerabilities are caused due to temporary file being created
insecurely.
This can be exploited via symlink attacks in combination to create and
overwrite
arbitrary files with the privileges of the user running the affected
script and
also arbitrary command possible by spiking the temporary file.
##
Versions:
##
ekg = 2005-06-05 22:03
##
Solution:
##
For the symlink attack use kernel patch such as grsecurity
#
Timeline:
#
Discovered : 2005-05-27
Vendor notified : 2005-06-06
Vendor response : no response
Vendor fix : no fix
Vendor Sec report ([EMAIL PROTECTED]) : 2005-06-27
Disclosure : 2005-07-04
#
Technical details :
#
Vulnerable code :
-
In contrib/scripts/linki.py
95 def czyjest ():
96 if os.path.exists('/tmp/rmrmg_ekg_url'):
97 wejsc= open ('/tmp/rmrmg_ekg_url')
98 file = wejsc.readlines()
99 dlug=len(file)
100 wejsc.close()
101 #ekg.printf(generic, liczno¶æ %d %(dlug))
102 return file
103 else:
104 return 0
Then
35 def handle_keypress(meta, key):
36 if key == 269:
37 ekg.printf(generic, wci¶nieto F5)
38 nurl=czyjest()
39 if nurl == 0:
40 ekg.printf(generic, nie ma zadnego adresu URL)
41 else:
42 dlug=len(nurl)
43 if dlug == 1:
44 ekg.printf(generic, otwieram %s w nowej zak³adce
%(nurl[0]))
45 os.system(MozillaFirebird -remote
'openURL(%s,new-tab)' %(nurl[0]))
46 os.system('rm /tmp/rmrmg_ekg_url')
47 else:
48 ekg.printf(generic, linków mam %d %(dlug))
49 wielejest(nurl)
50 ekg.printf(generic, otwieram %s w nowej zak³adce
%(nurl[0]))
51 os.system(MozillaFirebird -remote 'openURL(%s,
new-tab)' %(nurl[0]))
52 elif key == 270:
53 ekg.printf(generic, wcisniêto F6)
54 nurl=czyjest()
55 if nurl == 0:
56 ekg.printf(generic, nic nie moge skasowaæ - nie
mazadnego adresu URL)
57 else:
58 dlug=len(nurl)
59 if dlug == 1:
60 ekg.printf(generic, kasuje adres %s %(nurl[0]))
61 os.system('rm /tmp/rmrmg_ekg_url')
62 else:
63 ekg.printf(generic, jest wiele linków)
64 wielejest(nurl)
65 ekg.printf(generic, kasuje pierwszy czyli:
%s%(nurl[0]))
66 elif key == 271:
67 ekg.printf(generic, wcisniêto F7)
68 nurl=czyjest()
69 if nurl == 0:
70 ekg.printf(generic, nie ma zadnego adresu URL)
71 else:
72 dlug=len(nurl)
73 if dlug == 1:
74 ekg.printf(generic, otwieram %s w nowym
oknie%(nurl[0]))
75 os.system(MozillaFirebird %s %(nurl[0]))
76 os.system('rm /tmp/rmrmg_ekg_url')
77 else:
78 ekg.printf(generic, linków mam %d %(dlug))
79 wielejest(nurl)
80 ekg.printf(generic, otwieram %s w nowym
oknie%(nurl[0]))
81 elif key == 272:
82 ekg.printf(generic, wcisniêto F8)
83 nurl=czyjest()
84 ekg.printf(generic, F5 - otwiera w nowej zak³adce; F7
wnowym oknie, a F6 kasuje, wszystko tyczy siê pierwszej pozycji
zlisty)
85 if nurl == 0:
86 ekg.printf(generic, nie ma zadnego adresu URL)
87 else:
88 dlug=len(nurl)
89 ekg.printf(generic, linków mam %d oto one: %(dlug))
90 for po in nurl:
91 ekg.printf(generic, %s %(po))
92 return 1
#
Related :
#
Gentoo Bugs report : http://bugs.gentoo.org/show_bug.cgi?id=94172
CVE : CAN-2005-1916
#
Credits :
#
Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] kpopper insecure temporary file creation
# kpopper insecure temporary file creation Vendor: http://kpopper.sourceforge.net/ Advisory: http://www.zataz.net/adviso/kpopper-06152005.txt Vendor informed: yes Exploit available: yes Impact : low Exploitation : low # The vulnerability is caused due to temporary file being created insecurely. This can be exploited via symlink attacks in combination to create and overwrite arbitrary files with the privileges of the user running the affected script. ## Versions: ## kpopper = 1.0 ## Solution: ## To prevent symlink attack use kernel patch such as grsecurity # Timeline: # Discovered : 2005-06-13 Vendor notified : 2005-06-15 Vendor response : no reponse Vendor fix : no fix Vendor Sec report ([EMAIL PROTECTED]) : 2005-06-27 Disclosure : 2005-07-04 # Technical details : # Vulnerable code : - popper/popper-send.sh #!/bin/sh echo $2 /tmp/.popper-new echo `date +%a %l:%m %p` /tmp/.popper-new cat $1 /tmp/.popper-new mv -f /tmp/.popper-new /tmp/.popper The .popper is also used into : popper/popper.cpp # Related : # Bug report : http://bugs.gentoo.org/show_bug.cgi?id=94475 CVE : CAN-2005-1917 # Credits : # Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit) Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] log4sh insecure temporary file creation
#
log4sh insecure temporary file creation
Vendor: http://forestent.com/products/log4sh/
Advisory: http://www.zataz.net/adviso/log4sh-06092005.txt
Vendor informed: yes
Exploit available: no
Impact : low
Exploitation : low
#
The vulnerabilities are caused due to temporary file being created
insecurely.
This can be exploited via symlink attacks in combination to create and
overwrite
arbitrary files with the privileges of the user running the affected script.
##
Versions:
##
log4sh = 1.2.5
##
Solution:
##
Use kernel patch such as grsecurity
#
Timeline:
#
Discovered : 2005-05-26
Vendor notified : 2005-06-09
Vendor response : no reponse
Vendor fix : no fix
Vendor Sec report ([EMAIL PROTECTED]) : 2005-06-27
Disclosure : 2005-07-04
#
Technical details :
#
Vulnerable code :
-
356 log4sh_readProperties()
357 {
358 _file=$1
359
360 _tmpFile=/tmp/log4sh.$$
361 grep ^log4sh\. $_file $_tmpFile
#
Related :
#
Gentoo Bugs report : http://bugs.gentoo.org/show_bug.cgi?id=94069
#
Credits :
#
Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] GIPTables Firewall = v1.1 insecure temporary file creation
# GIPTables Firewall insecure temporary file creation Vendor: http://www.giptables.org/ Advisory: http://www.zataz.net/adviso/giptables-05222005.txt Vendor informed: yes Exploit available: yes Impact : medium Exploitation : low # The vulnerability is caused due to temporary file being created insecurely. This can be exploited via symlink attacks in combination with a race condition to create and overwrite arbitrary files with the privileges of the user running the affected script. It is also possible to cause a Denial of Service by manipulating the ip adresses present into the temporary file The exploitation require that the root configure or reconfigure his firewall rules. ## Versions: ## GIPTables Firewall = v1.1 ## Solution: ## non solution yet. # Timeline: # Discovered : 2005-05-22 Vendor notified : 2005-05-22 Vendor response : no response Vendor fix : no fix Disclosure : 2005-06-06 # Technical details : # Vulnerable code : - - - # Network Ghouls [ $NETWORK_GHOULS == yes ] \ [ $DEBUG = on ] echo -e \n# Network Ghouls if [ $NETWORK_GHOULS == yes ] [ -f $GIPTABLES_BLOCKED_FILE ]; then deny_file=$GIPTABLES_BLOCKED_FILE temp_file=/tmp/temp.ip.addresses cat $deny_file | sed -n -e s/^[ ]*\([0-9.]*\).*$/\1/p | awk ' $1 ' $temp_file while read ip_addr do drop_ipaddr interface0_in source $ip_addr \ drop_ipaddr interface0_out destination $ip_addr [ -n $INTERFACE1 ] \ drop_ipaddr interface1_in source $ip_addr \ drop_ipaddr interface1_out destination $ip_addr [ -n $INTERFACE1 ] \ drop_ipaddr network1_in source $ip_addr \ drop_ipaddr network1_out destination $ip_addr done $temp_file rm -f $temp_file /dev/null 21 unset temp_file unset deny_file fi # Related : # nothing related ## Possible fix : ## deny_file=$GIPTABLES_BLOCKED_FILE if mkdir /tmp/.giptables.$$; then chmod 700 /tmp/.giptables.$$ temp_file=/tmp/.giptables.$$/temp.ip.addresses else echo $Error: failed to create temporary file 12 exit 1 fi temp_file=/tmp/.giptables.$$/temp.ip.addresses # Credits : # Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] LutelWall = 0.97 insecure temporary file creation
#
LutelWall insecure temporary file creation
Vendor: http://firewall.lutel.pl/index.php
Advisory: http://www.zataz.net/adviso/lutelwall-05222005.txt
Vendor informed: yes
Exploit available: yes
Impact : medium
Exploitation : low
#
The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks to create and overwrite
arbitrary files
with the privileges of the user running the affected script.
The exploitation require that the root try to update the software.
##
Versions:
##
LutelWall = 0.97
##
Solution:
##
non solution yet.
#
Timeline:
#
Discovered : 2005-05-22
Vendor notified : 2005-05-22
Vendor response : none
Vendor fix : no fix
Disclosure : 2005-06-06
#
Technical details :
#
Vulnerable code :
-
# Prefix of temporary firewall files
tmp='/tmp/lutelwall'
new_version_check () { # Check for new version of script
if [ `wget -V 21 /dev/null` ]; then
message 3 Warrning: Wget is required to check for updates.
else
new_ver=`wget -C off -O - -q -t 1 -T 3 -w 3 -U \`uname -a 21\`
http://firewall.lutel.pl/ver`
if [ `echo $current_version | gawk '{ gsub(\\\.,) ; print 1$0 }'`
-lt `echo $new_ver | gawk '{ gsub(\\\.,) ; print 1$0 }'` ]; then
echo -e \nThere is newer version of LutelWall (${new_ver})
echo -n Changes since previous version:
echo `wget -C off -O $tmp-newfeat -q -t 1 -T 3 -w 3
http://firewall.lutel.pl/FEATURES-${new_ver}`
cat $tmp-newfeat
echo Do you want to update [y/N]?
read -s -t 5 -n 1 ln
if [ $ln = 'y' -o $ln = 'Y' ]; then
wget -O $tmp-script -q -T 3 http://firewall.lutel.pl/lutelwall
cat $tmp-script $0
rm -rf $tmp-script
echo Your firewall is up to date, exiting after update!
exit
else
message 5 Update aborted
fi
else
message 5 LutelWall is up-to-date
fi;
fi;
}
#
Related :
#
nothing related
#
Credits :
#
Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
