BugTraq
Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution Jul 17 2008 10:54PM
Jan MinĂ¡Å? (rdancer rdancer org) (2 replies)
Re: [Full-disclosure] Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution Jul 25 2008 01:17AM
Robert Buchholz (rbu gentoo org) (1 replies)
On Friday 18 July 2008, Jan Mináø wrote:
...
> 3. Vulnerability
>
> During the build process, a temporary file with a predictable name is
> created in the ``/tmp'' directory. This code is run when Vim is
> being build with Python support:
>
> src/configure.in:
>
> 677 dnl -- we need to examine Python's
> config/Makefile too 678 dnl see what the interpreter is
> built from 679 AC_CACHE_VAL(vi_cv_path_python_plibs,
> 680 [
> 681 tmp_mkf="/tmp/Makefile-conf$$"
> (1)--> 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof'
> >${tmp_mkf} 683 __:
> 684 @echo "python_MODLIBS='$(MODLIBS)'"
> 685 @echo "python_LIBS='$(LIBS)'"
> 686 @echo "python_SYSLIBS='$(SYSLIBS)'"
> 687 @echo "python_LINKFORSHARED='$(LINKFORSHARED)'"
> 688 eof
> 689 dnl -- delete the lines from make about
> Entering/Leaving directory
> (2)--> 690 eval "`cd ${PYTHON_CONFDIR} && make -f
> ${tmp_mkf} __ | sed '/ directory /d'`"
> 691 rm -f ${tmp_mkf}
>
> The attacker has to create the temporary file
> ``/tmp/Makefile-conf<PID>'' before it is first written to at (1). In
> the time between (1) and (2), arbitrary commands can be written to
> the file. They will be executed at (2).

The commands do not have to be written there between (1) and (2), they
can be in the file long before the ./configure was started -- just
because the script does care whether it can write to the file at all.
So unlike stated in the advisory, and in CVE-2008-3294, the issue does
not involve a race condition if the attacker would choose to create a
644 file.

Robert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iQIcBAABAgAGBQJIiSmqAAoJECaaHo/OfoM5wyoP/1fdUNCvMJh67nkpaXRCMv2S
sN3BzyyaaPyVyFPv1zNn8xYNUkAAZqomzdl8KPoYKpX9sMCK4s6g+sMrU1DhGnBJ
eERJLRB3xfMLQzyMvKZkB/GvxO/mw/fxh4Zipk99LpCODoBHz/Ur3OzFmfhk4elZ
E6GWaA9xYQmrNK0cruzazPfZ0L1HxiGq/CJznZJHX6rYfv2v3g7y+Pp+volP9VP/
2R7wTXYtdJ/lSUaw0r0fSkxMf5SZKMbI3lPviOM0oZN++eFqUVCv+38qimUoB9PN
N9M9ywRd1se4h5lMHMLHLbCvua/OYPpOrS84acVHw+QEGhUFqAWe5/MPilNSV769
FswAvpFT/FaegY8d1kbgv7ODLyqqo7m34UhAMEFS7+oHAn3hUuJJK2CbrFS8wV+g
6GzDWzdRg78WQ2pNghua0X3qXZ5i9i6baIu1+F/vD07d3qp2GOcCjk3l61UJI1e2
09JvaF0wS6kJl2LZhSgh9HAEH0IICVQ2zz9whXhstp1XmvHM6EazS5yxmTwUXuBs
deFfpAS2FuWr0k7OUuzcuiHrVHVIMLQOM2gjWI20PBcQTgUemaWW9GiAIG5fcjQT
tRIptVd+ulRh8kEqYUS4X9WYvvmmUAa9wUJrlIBggnErms0k2C9JT2X7nZKb0pFt
/PRlFkMVu8mqN2+Zwxyf
=MJ1N
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus