oss-sec mailing list archives

CVE Request: VirtualBox tmp file issue

From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Mon, 24 Nov 2008 16:34:07 +0100

Hi,

http://www.virtualbox.org/wiki/Changelog:
VirtualBox 2.0.6
- Linux/Solaris/Darwin hosts: verify permissions in /tmp/vbox-$USER-ipc

These changes match that description:
http://www.virtualbox.org/changeset?new=trunk%2Fsrc%2Flibs%2Fxpcom18a4%2Fipc%2Fipcd%2Fdaemon%2Fsrc%2FipcdUnix.cpp%4013810&old=trunk%2Fsrc%2Flibs%2Fxpcom18a4%2Fipc%2Fipcd%2Fdaemon%2Fsrc%2FipcdUnix.cpp%407049

VirtualBox uses /tmp/vbox-$USER-ipc to store a socket and a lock
file. The lock file is truncated after a simple open call. AFAICS
creating /tmp/vbox-$USER-ipc before the victim starts VirtualBox
could therefore be exploited to create files as the victim or
truncate files of the victim.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Current thread:

CVE Request: VirtualBox tmp file issue Ludwig Nussel (Nov 24)
- Re: CVE Request: VirtualBox tmp file issue Moritz Muehlenhoff (Nov 24)