#########################################################
log4sh insecure temporary file creation
Vendor: http://forestent.com/products/log4sh/
Advisory: http://www.zataz.net/adviso/log4sh-06092005.txt
Vendor informed: yes
Exploit available: no
Impact : low
Exploitation : low
#########################################################
The vulnerabilities are caused due to temporary file being created
insecurely.
This can be exploited via symlink attacks in combination to create and
overwrite
arbitrary files with the privileges of the user running the affected script.
##########
Versions:
##########
log4sh <= 1.2.5
##########
Solution:
##########
Use kernel patch such as grsecurity
#########
Timeline:
#########
Discovered : 2005-05-26
Vendor notified : 2005-06-09
Vendor response : no reponse
Vendor fix : no fix
Vendor Sec report ([EMAIL PROTECTED]) : 2005-06-27
Disclosure : 2005-07-04
#####################
Technical details :
#####################
Vulnerable code :
-----------------
356 log4sh_readProperties()
357 {
358 _file=$1
359
360 _tmpFile="/tmp/log4sh.$$"
361 grep "^log4sh\." $_file >$_tmpFile
#########
Related :
#########
Gentoo Bugs report : http://bugs.gentoo.org/show_bug.cgi?id=94069
#####################
Credits :
#####################
Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
