phusion passenge insecure temp files usage

2013-06-10 / 2014-01-05
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


Ogólna skala CVSS: 4.6/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 3.9/10
Wymagany dostęp: Lokalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

While looking at CVE-2013-2119 I noticed that Phusion Passenger 2.2.11's ext/common/Utils.cpp makeDirTemp() uses mkdir(1) to create directories in /tmp (e.g. /tmp/phusion.$$) for use by the application and web server. A local user could create the directories and have write access to directories, and possibly files used by the application. I haven't confirmed, but I guess this would allow some sort of privilege escalation to the user executing the application or at least access to otherwise restricted data. Additionally, some of the subdirectories might be chown(2)ed to a different user even if the directory already existed (it chowns iff mkdir(1) returns 0). Not sure if it could have an impact, however. Later versions of Phusion Passenger (namely, 3.0.13) use mkdir(2) directly but it only checks for EEXIST, in which case it even skips the chown. The directory is chmod'ed and chown'ed otherwise. So, at least in 3.0.13 a file could be created instead of a directory and the code would go on, while in 2.2.11 one would need to win the race condition in mkdir(1) -p's stat check. Does anyone know enough about phusion passenger to know what the impact could be? (and depending on that, assigning CVE id(s)) Cheers,

Referencje:

http://seclists.org/oss-sec/2013/q2/534


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top