ncompress insecure temporary file creation

2005.09.17
Risk: Low
Local: No
Remote: No
CWE: N/A


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

######################################################### ncompress insecure temporary file creation Vendor: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/ Advisory: http://www.zataz.net/adviso/ncompress-09052005.txt Vendor informed: yes Exploit available: yes Impact : low Exploitation : low ######################################################### The vulnerability is caused due to temporary file being created insecurely. This can be exploited via symlink attacks in combination with a race condition to create and overwrite arbitrary files with the privileges of the user running the affected script. Secunia has reported that D1g1t4lLeech has discovered this bug the 2005-09-16 ZATAZ Audit has discovered this bug the 2005-09-05 D1g1t4lLeech is a true Leecher :) Gentoo Security take care on your IRC Channel, spy everywhere. ########## Versions: ########## ncompress <= 4.2.4-r1 ########## Solution: ########## To prevent symlink attack use kernel patch such as grsecurity ######### Timeline: ######### Discovered : 2005-09-05 Vendor notified : 2005-09-05 Vendor response : no reponse Vendor fix : no patch Vendor Sec report (vendor-sec (at) lst (dot) de [email concealed]) : Disclosure : ##################### Technical details : ##################### ncompress use vulnerable version off zdiff and zcmp. ######### Related : ######### Secunia : http://secunia.com/advisories/13131/ CVE : CAN-2004-0970 ##################### Credits : ##################### Eric Romang (eromang (at) zataz (dot) net [email concealed] - ZATAZ Audit) Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top