Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
From: Robert Buchholz <rbu () gentoo org>
Date: Fri, 25 Jul 2008 12:18:21 +0200

On Friday 25 July 2008, Jan Minář wrote:
2008/7/25 Robert Buchholz <rbu () gentoo org>:
On Friday 18 July 2008, Jan Minář wrote:
...

3. Vulnerability

During the build process, a temporary file with a predictable name
is created in the ``/tmp'' directory.  This code is run when Vim
is being build with Python support:

src/configure.in:

         677         dnl -- we need to examine Python's
config/Makefile too 678         dnl    see what the interpreter is
built from 679         AC_CACHE_VAL(vi_cv_path_python_plibs,
         680         [
         681             tmp_mkf="/tmp/Makefile-conf$$"
  (1)--> 682             cat ${PYTHON_CONFDIR}/Makefile - <<'eof'

${tmp_mkf} 683 __:

         684         @echo "python_MODLIBS='$(MODLIBS)'"
         685         @echo "python_LIBS='$(LIBS)'"
         686         @echo "python_SYSLIBS='$(SYSLIBS)'"
         687         @echo
"python_LINKFORSHARED='$(LINKFORSHARED)'" 688 eof
         689             dnl -- delete the lines from make about
Entering/Leaving directory
  (2)--> 690             eval "`cd ${PYTHON_CONFDIR} && make -f
${tmp_mkf} __ | sed '/ directory /d'`"
         691             rm -f ${tmp_mkf}

The attacker has to create the temporary file
``/tmp/Makefile-conf<PID>'' before it is first written to at (1). 
In the time between (1) and (2), arbitrary commands can be written
to the file.  They will be executed at (2).

The commands do not have to be written there between (1) and (2),
they can be in the file long before the ./configure was started --
just because the script does care whether it can write to the file
at all. So unlike stated in the advisory, and in CVE-2008-3294, the
issue does not involve a race condition if the attacker would
choose to create a 644 file.

The file gets truncated in (1).  You're wrong, the advisory is right.

Truncation will fail if the configure is not running as root.

Robert

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]