Full Disclosure mailing list archives
log4sh insecure temporary file creation
From: ZATAZ Audits <exploits () zataz net>
Date: Mon, 04 Jul 2005 10:17:17 +0200
######################################################### log4sh insecure temporary file creation Vendor: http://forestent.com/products/log4sh/ Advisory: http://www.zataz.net/adviso/log4sh-06092005.txt Vendor informed: yes Exploit available: no Impact : low Exploitation : low #########################################################The vulnerabilities are caused due to temporary file being created insecurely. This can be exploited via symlink attacks in combination to create and overwrite
arbitrary files with the privileges of the user running the affected script.
##########
Versions:
##########
log4sh <= 1.2.5
##########
Solution:
##########
Use kernel patch such as grsecurity
#########
Timeline:
#########
Discovered : 2005-05-26
Vendor notified : 2005-06-09
Vendor response : no reponse
Vendor fix : no fix
Vendor Sec report (vendor-sec () lst de) : 2005-06-27
Disclosure : 2005-07-04
#####################
Technical details :
#####################
Vulnerable code :
-----------------
356 log4sh_readProperties()
357 {
358 _file=$1
359
360 _tmpFile="/tmp/log4sh.$$"
361 grep "^log4sh\." $_file >$_tmpFile
#########
Related :
#########
Gentoo Bugs report : http://bugs.gentoo.org/show_bug.cgi?id=94069
#####################
Credits :
#####################
Eric Romang (eromang () zataz net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- log4sh insecure temporary file creation ZATAZ Audits (Jul 04)