[VulnWatch] ncompress insecure temporary file creation

From: ZATAZ Audits (exploits_at_zataz.net)
Date: 09/16/05

  • Next message: ZATAZ Audits: "[VulnWatch] arc insecure temporary file creation"
    Date: Fri, 16 Sep 2005 16:00:05 +0200
    To: vuldb@securityfocus.com, vuln@secunia.com, vuln@k-otik.com, moderators@osvdb.org, bugs@securitytracker.com, submissions@packetstormsecurity.org, news@securiteam.com, xforce@iss.net, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk
    
    

    #########################################################

    ncompress insecure temporary file creation

    Vendor: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/
    Advisory: http://www.zataz.net/adviso/ncompress-09052005.txt
    Vendor informed: yes
    Exploit available: yes
    Impact : low
    Exploitation : low

    #########################################################

    The vulnerability is caused due to temporary file being created insecurely.
    This can be exploited via symlink attacks in combination with a race
    condition to create and overwrite arbitrary files
    with the privileges of the user running the affected script.

    Secunia has reported that D1g1t4lLeech has discovered this bug
    the 2005-09-16

    ZATAZ Audit has discovered this bug the 2005-09-05

    D1g1t4lLeech is a true Leecher :)

    Gentoo Security take care on your IRC Channel, spy everywhere.

    ##########
    Versions:
    ##########

    ncompress <= 4.2.4-r1

    ##########
    Solution:
    ##########

    To prevent symlink attack use kernel patch such as grsecurity

    #########
    Timeline:
    #########

    Discovered : 2005-09-05
    Vendor notified : 2005-09-05
    Vendor response : no reponse
    Vendor fix : no patch
    Vendor Sec report (vendor-sec@lst.de) :
    Disclosure :

    #####################
    Technical details :
    #####################

    ncompress use vulnerable version off zdiff and zcmp.

    #########
    Related :
    #########

    Secunia : http://secunia.com/advisories/13131/
    CVE : CAN-2004-0970

    #####################
    Credits :
    #####################

    Eric Romang (eromang@zataz.net - ZATAZ Audit)
    Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.)


  • Next message: ZATAZ Audits: "[VulnWatch] arc insecure temporary file creation"

    Relevant Pages