Full Disclosure mailing list archives
log4sh insecure temporary file creation
From: ZATAZ Audits <exploits () zataz net>
Date: Mon, 04 Jul 2005 10:17:17 +0200
######################################################### log4sh insecure temporary file creation Vendor: http://forestent.com/products/log4sh/ Advisory: http://www.zataz.net/adviso/log4sh-06092005.txt Vendor informed: yes Exploit available: no Impact : low Exploitation : low #########################################################The vulnerabilities are caused due to temporary file being created insecurely. This can be exploited via symlink attacks in combination to create and overwrite
arbitrary files with the privileges of the user running the affected script. ########## Versions: ########## log4sh <= 1.2.5 ########## Solution: ########## Use kernel patch such as grsecurity ######### Timeline: ######### Discovered : 2005-05-26 Vendor notified : 2005-06-09 Vendor response : no reponse Vendor fix : no fix Vendor Sec report (vendor-sec () lst de) : 2005-06-27 Disclosure : 2005-07-04 ##################### Technical details : ##################### Vulnerable code : ----------------- 356 log4sh_readProperties() 357 { 358 _file=$1 359 360 _tmpFile="/tmp/log4sh.$$" 361 grep "^log4sh\." $_file >$_tmpFile ######### Related : ######### Gentoo Bugs report : http://bugs.gentoo.org/show_bug.cgi?id=94069 ##################### Credits : ##################### Eric Romang (eromang () zataz net - ZATAZ Audit) Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- log4sh insecure temporary file creation ZATAZ Audits (Jul 04)