autojump profile will load random stuff from a directory called custom_install

2013.04.25
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-269


CVSS Base Score: 4.4/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Description of problem: /etc/profile.d/autojump.sh might load $CWD/custom_install/autojump.$SHELL or $CWD/custom_install/autojump.$SHELL. When a user starts a shell in /tmp or another publicly writable directory, and has $SHELL unset or set to something different than zsh or bash, e.g. dash, an attacker might create this file there. Version-Release number of selected component (if applicable): I think that the script hasn't changed recently, so Fedora 17 to rawhide is probably affected. a security flaw was found in the way autojump, a tool for faster filesystem navigation from the command line, used to honour content of custom_install directory when global and local autojump installations were not found, and $SHELL variable was unset or set to different value than bash or zsh. If an unsuspecting autojump user was tricked into running autojump script from the directory a local attacker has write access to, this flaw could be used for arbitrary (Python) code execution with the privileges of the user running the autojump binary / script. Relevant (final) upstream patches are as follows: [1] https://github.com/joelthelion/autojump/commit/ad09ee27d402be797b3456abff6edeb4291edfec [2] https://github.com/joelthelion/autojump/commit/c763b2afadb188ab52849c21d43d2e8fe5b8800a References: [3] https://bugzilla.redhat.com/show_bug.cgi?id=950777 Credit: This issue was found and reported to Red Hat Bugzilla [3] by Zbigniew Jedrzejewski-Szmek. Thanks also goes to Jan Pokorny for bringing this one to my attention, and to William Ting of autojump upstream for promptly fixing the issue.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=950777
https://github.com/joelthelion/autojump/commit/ad09ee27d402be797b3456abff6edeb4291edfec
https://github.com/joelthelion/autojump/commit/c763b2afadb188ab52849c21d43d2e8fe5b8800a
https://bugzilla.redhat.com/show_bug.cgi?id=950777
http://seclists.org/oss-sec/2013/q2/192


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top