######################################################### ncompress insecure temporary file creation Vendor: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/ Advisory: http://www.zataz.net/adviso/ncompress-09052005.txt Vendor informed: yes Exploit available: yes Impact : low Exploitation : low ######################################################### The vulnerability is caused due to temporary file being created insecurely. This can be exploited via symlink attacks in combination with a race condition to create and overwrite arbitrary files with the privileges of the user running the affected script. Secunia has reported that D1g1t4lLeech has discovered this bug the 2005-09-16 ZATAZ Audit has discovered this bug the 2005-09-05 D1g1t4lLeech is a true Leecher :) Gentoo Security take care on your IRC Channel, spy everywhere. ########## Versions: ########## ncompress <= 4.2.4-r1 ########## Solution: ########## To prevent symlink attack use kernel patch such as grsecurity ######### Timeline: ######### Discovered : 2005-09-05 Vendor notified : 2005-09-05 Vendor response : no reponse Vendor fix : no patch Vendor Sec report (vendor-sec (at) lst (dot) de [email concealed]) : Disclosure : ##################### Technical details : ##################### ncompress use vulnerable version off zdiff and zcmp. ######### Related : ######### Secunia : http://secunia.com/advisories/13131/ CVE : CAN-2004-0970 ##################### Credits : ##################### Eric Romang (eromang (at) zataz (dot) net [email concealed] - ZATAZ Audit) Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.)