Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
From: Robert Buchholz <rbu () gentoo org>
Date: Fri, 25 Jul 2008 03:17:08 +0200

On Friday 18 July 2008, Jan Minář wrote:
3. Vulnerability

During the build process, a temporary file with a predictable name is
created in the ``/tmp'' directory.  This code is run when Vim is
being build with Python support:


         677         dnl -- we need to examine Python's
config/Makefile too 678         dnl    see what the interpreter is
built from 679         AC_CACHE_VAL(vi_cv_path_python_plibs,
         680         [
         681             tmp_mkf="/tmp/Makefile-conf$$"
  (1)--> 682             cat ${PYTHON_CONFDIR}/Makefile - <<'eof'
${tmp_mkf} 683 __:
         684         @echo "python_MODLIBS='$(MODLIBS)'"
         685         @echo "python_LIBS='$(LIBS)'"
         686         @echo "python_SYSLIBS='$(SYSLIBS)'"
         687         @echo "python_LINKFORSHARED='$(LINKFORSHARED)'"
         688 eof
         689             dnl -- delete the lines from make about
Entering/Leaving directory
  (2)--> 690             eval "`cd ${PYTHON_CONFDIR} && make -f
${tmp_mkf} __ | sed '/ directory /d'`"
         691             rm -f ${tmp_mkf}

The attacker has to create the temporary file
``/tmp/Makefile-conf<PID>'' before it is first written to at (1).  In
the time between (1) and (2), arbitrary commands can be written to
the file.  They will be executed at (2).

The commands do not have to be written there between (1) and (2), they 
can be in the file long before the ./configure was started -- just 
because the script does care whether it can write to the file at all. 
So unlike stated in the advisory, and in CVE-2008-3294, the issue does 
not involve a race condition if the attacker would choose to create a 
644 file.


Attachment: signature.asc
Description: This is a digitally signed message part.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]