SimpleCDR-X - Insecure tempfile handling

[<jonas.thambert () hush ai>]

SimpleCDR-X - Insecure tempfile handling
+----------------------------------------+
Date: 2005-09-15
URL: http://ogre.rocky-road.net/cdr.shtml
Vendor Notified: Days ago, no answer.
Version: 1.3.3 latest


[- Description -]

Files beeing recorded can be read by any user on the system due to 
insecure tempfile handling. By default all tempfiles are copied, 
packed and stored in the hidden directory /tmp/.temp while beeing 
recorded with incorrect set permissions. Not very nice if you 
backup your /etc or any other sensitive files.

Example.
jonas@divinity:/tmp$ ls -al
drwxr-xr-x 2 root root 4096 2005-09-15 18:41 .temp

jonas@divinity:/tmp$ cd .temp/
jonas@divinity:/tmp/.temp$ ls -al
drwxr-xr-x 2 root root 4096 2005-09-15 18:41 .
drwxrwxrwt 11 root root 4096 2005-09-15 18:41 ..
-rw-r--r-- 1 root root 205615104 2005-09-15 18:41 
simplecdrxbKtBVC.iso


[- Code Location -]
The function MasterDataCD::createImage in src/masterdatacd.cpp is 
hosting the vulnerable code.


[- Exploit -]
Not needed.





Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/