Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

everybuddy <= 0.4.3 insecure temporary file creation
From: Eric Romang / DATACENTER Luxembourg <eromang () dclux com>
Date: Mon, 06 Jun 2005 10:31:15 +0200
#########################################################

everybuddy insecure temporary file creation

Vendor: http://www.everybuddy.com/ (no more vendor URL)
Advisory: http://www.zataz.net/adviso/everybuddy-06062005.txt
Vendor informed: no more vendor
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks in combination to create and overwrite 
arbitrary files with the privileges of the user running the affected script.

##########
Versions:
##########

everybuddy <= 0.4.3

##########
Solution:
##########

Don't use this tool

#########
Timeline:
#########

Discovered : 2005-05-30
Vendor notified : no more vendor
Vendor response : no more vendor
Vendor fix : no fix
Disclosure : 2005-06-06

#####################
Technical details :
#####################

Vulnerable code :
-----------------

modules/utility/autotrans.c
258 g_snprintf(buf, 2048, "rm /tmp/.eb.%s.translator -f ; wget -O /tmp/.eb.%s.translator 'http://world.altavista.com/sites/gben/pos/babelfish/tr?tt=urltext&lp=%s_%s&urltext=%s'", 
259     getenv("USER"), getenv("USER"), from, to, string);
260
261   printf("Running command line:\n%s\n", buf);
262
263   if(system(buf)!=0)
264   {
265     printf("COULD NOT TRANSLATE: %s\n", ostring);
266     free(string);
267     return strdup(ostring);
268   }
269
270   g_snprintf(buf, 2048, "/tmp/.eb.%s.translator", getenv("USER"));
271
272   if((dat=fopen(buf, "r"))==NULL)
273   {
274     printf("COULD NOT TRANSLATE: %s\n", ostring);
275     free(string);
276     return strdup(ostring);
277   }
278
279   pos=0;
280
281   while(!feof(dat))
282   {
283     for(a=0; a<3; a++)
284     {
285       lastfew[a]=lastfew[a+1];
286     }
287     lastfew[3]=(char)getc(dat);
288
289     if(printing>=1)
290     {
291       buf[pos++]=lastfew[3];
292       if(pos==1023) { buf[pos]='\0'; break; }
293     }
294
295     if(!strcmp(lastfew, "</TE"))
296     {
297       printf("Found end\n");
298       if (pos >= 5) {
299         buf[pos-4]='\0';
300         printing++;
301         while(pos>=5 && (buf[pos-5]=='\n' || buf[pos-5]=='\r'))
302         {
303           buf[pos-5]='\0';
304           pos--;
305         }
306       }
307       break;
308     }

#########
Related :
#########

Gentoo Bugs report : http://bugs.gentoo.org/show_bug.cgi?id=94473

#####################
Credits :
#####################

Eric Romang (eromang () zataz net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)
---------------------------------------------------------------------------- 
This e-mail and any attached files are confidential and intended solely for the use of the individual or entity to whom 
they are addressed. If you have received this e-mail by mistake, please notify the sender immediately and delete it 
from your system. You must not copy the message or disclose its contents to anyone.

----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
  • everybuddy <= 0.4.3 insecure temporary file creation Eric Romang / DATACENTER Luxembourg (Jun 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]