[VulnWatch] ncompress insecure temporary file creation

From: ZATAZ Audits (exploits_at_zataz.net)
Date: 09/16/05

Next message: ZATAZ Audits: "[VulnWatch] arc insecure temporary file creation"

Previous message: ZATAZ Audits: "[VulnWatch] gwcc insecure temporary file creation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 16 Sep 2005 16:00:05 +0200
To: vuldb@securityfocus.com, vuln@secunia.com, vuln@k-otik.com, moderators@osvdb.org, bugs@securitytracker.com, submissions@packetstormsecurity.org, news@securiteam.com, xforce@iss.net, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk

#########################################################

ncompress insecure temporary file creation

Vendor: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/
Advisory: http://www.zataz.net/adviso/ncompress-09052005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks in combination with a race
condition to create and overwrite arbitrary files
with the privileges of the user running the affected script.

Secunia has reported that D1g1t4lLeech has discovered this bug
the 2005-09-16

ZATAZ Audit has discovered this bug the 2005-09-05

D1g1t4lLeech is a true Leecher :)

Gentoo Security take care on your IRC Channel, spy everywhere.

##########
Versions:
##########

ncompress <= 4.2.4-r1

##########
Solution:
##########

To prevent symlink attack use kernel patch such as grsecurity

#########
Timeline:
#########

Discovered : 2005-09-05
Vendor notified : 2005-09-05
Vendor response : no reponse
Vendor fix : no patch
Vendor Sec report (vendor-sec@lst.de) :
Disclosure :

#####################
Technical details :
#####################

ncompress use vulnerable version off zdiff and zcmp.

#########
Related :
#########

Secunia : http://secunia.com/advisories/13131/
CVE : CAN-2004-0970

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.)

Next message: ZATAZ Audits: "[VulnWatch] arc insecure temporary file creation"

Previous message: ZATAZ Audits: "[VulnWatch] gwcc insecure temporary file creation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[Full-disclosure] LutelWall <= 0.97 insecure temporary file creation
... The vulnerability is caused due to temporary file being created insecurely. ... The exploitation require that the root try to update the software. ... Vendor notified: 2005-05-22 ...
(Full-Disclosure)
LutelWall <= 0.97 insecure temporary file creation
... The vulnerability is caused due to temporary file being created insecurely. ... The exploitation require that the root try to update the software. ... Vendor notified: 2005-05-22 ...
(Bugtraq)
[VulnWatch] LutelWall <= 0.97 insecure temporary file creation
... The vulnerability is caused due to temporary file being created insecurely. ... The exploitation require that the root try to update the software. ... Vendor notified: 2005-05-22 ...
(VulnWatch)
Multiple vulnerabilities in ZENphoto
... Vendor Notification: 18 January 2012 ... Successful exploitation of this vulnerability requires the attacker to be logged-in and have access to "Manage Albums" function. ... This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website. ...
(Bugtraq)
silc server and toolkit insecure temporary file creation
... Exploitation: low ... The vulnerability is caused due to temporary file being created insecurely. ... Vendor notified: 2005-06-15 ...
(Bugtraq)