mailing list archives
STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation vulnerability
From: "SSR Team" <advisory () stgsecurity com>
Date: Wed, 24 Nov 2004 11:54:16 +0900
-----BEGIN PGP SIGNED MESSAGE-----
STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation
Date Published: 2004-11-22 (KST)
Last Update: 2004-11-22
Disclosed by SSR Team (advisory () stgsecurity com)
cscope is an interactive, screen-oriented tool that allows users to
browse through C source files for specified elements of code.
It is vulnerable to symlink attacks, potentially allowing a local user to
overwrite arbitrary files with the right of the user running them, which
could be root.
Design error: insecure temp file handling
cscope was not designed to handle temp file securely.
main.c 332 line
/* create the temporary file names */
pid = getpid();
(void) sprintf(temp1, "%s/cscope%d.1", tmpdir, pid);
(void) sprintf(temp2, "%s/cscope%d.2", tmpdir, pid);
temporary files created with predictable names.
If temp1, temp2 are assigned once, they aren't changed until cscope is
terminated. Because cscope uses temp1, temp2 values repeatedly whenever
searches specified element of code, it's trivial to guess the names of temp
Medium: System file corruption.
Do *NOT* run cscope as the right of root.
rexolab's patch isn't the correct patch to this problem.
cscope is made with C language, not PHP language, fopen() doesn't support
mode 'x' in C library.
cscope 15.5 and prior
Vendor Status: NOT FIXED
2003-04-03 Vulnerability found by Jeremy Bae(aka opt, *^^*)
2004-11-08 cscope developer notified.
2004-11-17 rexolab released the advisory irresponsibly and incorrectly.
2004-11-22 Official release.
Jeremy Bae at STG Security
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
- STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation vulnerability SSR Team (Nov 24)