Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation vulnerability
From: "SSR Team" <advisory () stgsecurity com>
Date: Wed, 24 Nov 2004 11:54:16 +0900

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation
vulnerability

Revision 1.2
Date Published: 2004-11-22 (KST)
Last Update: 2004-11-22
Disclosed by SSR Team (advisory () stgsecurity com)

Summary
========
cscope is an interactive, screen-oriented tool that allows users to
browse through C source files for specified elements of code.

It is vulnerable to symlink attacks, potentially allowing a local user to
overwrite arbitrary files with the right of the user running them, which
could be root.


Vulnerability Class
===================
Design error: insecure temp file handling


Details
=======
cscope was not designed to handle temp file securely.

main.c 332 line
   /* create the temporary file names */
   pid = getpid();
   (void) sprintf(temp1, "%s/cscope%d.1", tmpdir, pid);
   (void) sprintf(temp2, "%s/cscope%d.2", tmpdir, pid);

temporary files created with predictable names.
/tmp/cscope[pid].1
/tmp/cscope[pid].2

If temp1, temp2 are assigned once, they aren't changed until cscope is
terminated. Because cscope uses temp1, temp2  values repeatedly whenever
user
searches specified element of code, it's trivial to guess the names of temp
files.

Impact
======
Medium: System file corruption.

Workaround
==========
Do *NOT* run cscope as the right of root.

rexolab's patch isn't the correct patch to this problem.
cscope is made with C language, not PHP language, fopen() doesn't support
mode 'x' in C library.

Affected Products
================
cscope 15.5 and prior

Vendor Status: NOT FIXED
=======================
2003-04-03 Vulnerability found by Jeremy Bae(aka opt, *^^*)
(http://xsdeny.net/kweblog/stories.php?story=03/04/03/9181080)
2004-11-08 cscope developer notified.
2004-11-17 rexolab released the advisory irresponsibly and incorrectly.
2004-11-22 Official release.

Credits
======
Jeremy Bae at STG Security

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBQaP3zD9dVHd/hpsuEQLOGACguBVlVe9myH978BHK+obHw6oPu1EAoOrH
NrR86vgntUyQNJ7MacySBuBw
=qDsj
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation vulnerability SSR Team (Nov 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault