[UNIX] Bad Temporary File Handling in GNAT
From: support@securiteam.comDate: 02/15/02
- Previous message: support@securiteam.com: "[UNIX] Ettercap Remote Root Compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 15 Feb 2002 03:52:30 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Bad Temporary File Handling in GNAT
------------------------------------------------------------------------
SUMMARY
The run-time library of the GNU Ada compiler ( <http://www.gnat.com/>
GNAT) handles temporary files in an unsafe manner, which enables tmp
symlink attacks and may enable local users to gain root access.
DETAILS
Systems affected:
All POSIX multi-user systems running GNAT-compiled binaries that use Ada
language facilities for creating temporary files are affected. The
following GNAT versions are known to have this defect:
* GNAT 3.12p
* GNAT 3.13p
* GNAT 3.14p
(The unreleased version of GNAT from the GCC CVS fixes this security
defect on GNU/Linux, but introduces another one. Its use is strongly
discouraged until this problem has been addressed.)
Attack vector:
Interactive access is usually required to exploit this vulnerability.
Impact:
The impact depends on the application creating the temporary file. It
ranges from temporary to permanent denial of service, from data
eavesdropping to system compromise.
Description:
The Ada language offers a facility to create named temporary files (see
ISO/IEC 8652:1995, section A.8.5.2). The GNAT run-time library creates
these temporary files in an unsafe way, which can result in exploitable
/tmp race conditions.
In addition, the procedure GNAT.OS_Lib.Create_Temp_File creates the
temporary file in the current directory and does not retry with a
different file name if the generated random file name has come into
existence before the file is opened using O_EXCL.
Proposed solution:
The patch below replaces the calls to tmpnam() or mktemp() with ones to
mkstemp(). Of course, this only works on systems where mkstemp() is
available.
* Patch for GNAT 3.14p:
<http://cert.uni-stuttgart.de/files/fw/gnat-3.14p-mkstemp.diff>
http://cert.uni-stuttgart.de/files/fw/gnat-3.14p-mkstemp.diff
Unfortunately, changes that are more substantial are required for previous
versions of GNAT.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:Weimer@CERT.Uni-Stuttgart.DE> Florian Weimer.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Ettercap Remote Root Compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
