STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation vulnerability

advisory_at_stgsecurity.com
Date: 11/24/04

  • Next message: devnull_at_Rodents.Montreal.QC.CA: "Re: Changes to the filesystem while find is running - comments?"
    Date: 24 Nov 2004 02:59:03 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation
    vulnerability

    Revision 1.2
    Date Published: 2004-11-22 (KST)
    Last Update: 2004-11-22
    Disclosed by SSR Team (advisory@stgsecurity.com)

    Summary
    ========
    cscope is an interactive, screen-oriented tool that allows users to
    browse through C source files for specified elements of code.

    It is vulnerable to symlink attacks, potentially allowing a local user to
    overwrite arbitrary files with the right of the user running them, which
    could be root.

    Vulnerability Class
    ===================
    Design error: insecure temp file handling

    Details
    =======
    cscope was not designed to handle temp file securely.

    main.c 332 line
       /* create the temporary file names */
       pid = getpid();
       (void) sprintf(temp1, "%s/cscope%d.1", tmpdir, pid);
       (void) sprintf(temp2, "%s/cscope%d.2", tmpdir, pid);

    temporary files created with predictable names.
    /tmp/cscope[pid].1
    /tmp/cscope[pid].2

    If temp1, temp2 are assigned once, they aren't changed until cscope is
    terminated. Because cscope uses temp1, temp2 values repeatedly whenever user
    searches specified element of code, it's trivial to guess the names of temp
    files.

    Impact
    ======
    Medium: System file corruption.

    Workaround
    ==========
    Do *NOT* run cscope as the right of root.

    rexolab's patch isn't the correct patch to this problem.
    cscope is made with C language, not PHP language, fopen() doesn't support
    mode 'x' in C library.

    Affected Products
    ================
    cscope 15.5 and prior

    Vendor Status: NOT FIXED
    =======================
    2003-04-03 Vulnerability found by Jeremy Bae(aka opt, *^^*)
    (http://xsdeny.net/kweblog/stories.php?story=03/04/03/9181080)
    2004-11-08 cscope developer notified.
    2004-11-17 rexolab released the advisory irresponsibly and incorrectly.
    2004-11-22 Official release.

    Credits
    ======
    Jeremy Bae at STG Security


  • Next message: devnull_at_Rodents.Montreal.QC.CA: "Re: Changes to the filesystem while find is running - comments?"