[VulnWatch] Secunia Research: StarOffice / OpenOffice Insecure Temporary File Creation

From: Carsten H. Eiram (che_at_secunia.com)
Date: 09/13/04

  • Next message: advisories: "[VulnWatch] Corsaire Security Advisory - Multiple vendor MIME field multiple occurrence issue"
    To: Full Disclosure <full-disclosure@lists.netsys.com>
    Date: Mon, 13 Sep 2004 09:37:34 +0200
    
    

    ======================================================================

                         Secunia Research 13/09/2004

         - StarOffice / OpenOffice Insecure Temporary File Creation -

    ======================================================================
    Table of Contents

    Affected Software....................................................1
    Severity.............................................................2
    Vendor's Description of Software.....................................3
    Description of Vulnerability.........................................4
    Solution.............................................................5
    Time Table...........................................................6
    Credits..............................................................7
    References...........................................................8
    About Secunia........................................................9
    Verification........................................................10

    ======================================================================
    1) Affected Software

    StarOffice 7
    OpenOffice 1.1.2

    ======================================================================
    2) Severity

    Rating: Less Critical
    Impact: Exposure of Sensitive Information
    Where: Local System

    ======================================================================
    3) Vendor's Description of Software

    "StarOffice 7 Office Suite is the world's leading office productivity
    suite on Linux and the Solaris OS, and the leading alternative office
    suite on Windows.".

    Product link:
    http://wwws.sun.com/software/star/staroffice/

    "OpenOffice.org is both an Open Source product and a project. The
    product is a multi-platform office productivity suite. It includes
    the key desktop applications, such as a word processor, spreadsheet,
    presentation manager, and drawing program, with a user interface and
    feature set similar to other office suites.".
     
    Product link:
    http://www.openoffice.org/

    ======================================================================
    4) Description of Vulnerability

    Secunia has discovered a vulnerability in StarOffice and OpenOffice,
    which can be exploited by malicious, local users to gain knowledge of
    sensitive information.

    The vulnerability is caused due to temporary files being created with
    insecure permissions (usually "664" or "644" depending on the user's
    umask) in the "/tmp" folder when open documents are saved.

    Example:

    $ ls -la /tmp/svh69.tmp/
    total 16
    drwxrwxr-x 2 test test 4096 Aug 18 12:32 .
    drwxrwxrwt 10 root root 4096 Aug 18 12:31 ..
    -rw-rw-r-- 1 test test 4937 Aug 18 12:32 svh6g.tmp

    Successful exploitation allows an unprivileged user to read arbitrary
    users' currently open documents.

    ======================================================================
    5) Solution

    The vulnerability has been fixed in Product Update 3 for StarOffice
    and a release candidate of OpenOffice 1.1.3.

    ======================================================================
    6) Time Table

    16/08/2004 - Vulnerability discovered.
    17/08/2004 - Vendor notified.
    17/08/2004 - Vendor confirms vulnerability.
    13/09/2004 - Public disclosure.

    ======================================================================
    7) Credits

    Discovered by Carsten Eiram, Secunia Research.

    ======================================================================
    8) References

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the vulnerability candidate number: CAN-2004-0752.

    ======================================================================
    9) About Secunia

    Secunia collects, validates, assesses, and writes advisories regarding
    all the latest software vulnerabilities disclosed to the public. These
    advisories are gathered in a publicly available database at the
    Secunia website:

    http://secunia.com/

    Secunia offers services to our customers enabling them to receive all
    relevant vulnerability information to their specific system
    configuration.

    Secunia offers a FREE mailing list called Secunia Security Advisories:

    http://secunia.com/secunia_security_advisories/

    ======================================================================
    10) Verification

    Please verify this advisory by visiting the Secunia website:
    http://secunia.com/secunia_research/2004-5/
    ======================================================================


  • Next message: advisories: "[VulnWatch] Corsaire Security Advisory - Multiple vendor MIME field multiple occurrence issue"

    Relevant Pages