[20334] in bugtraq
Re: VMware symlink problems
daemon@ATHENA.MIT.EDU (peterw@usa.net)
Fri Apr 20 03:05:22 2001
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <200104192157.RAA25637@rcn.com>
Date: Thu, 19 Apr 2001 17:57:54 -0400
Reply-To: peterw@usa.net
From: peterw@usa.net
X-To: Paul Starzetz <paul@STARZETZ.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3ADDBB5D.205386BF@starzetz.de>
At Wed, 18 Apr 2001 18:05:49 +0200 , Paul Starzetz <paul@STARZETZ.DE> wrote:
>There is symlink vulnerability in the vmware-mount.pl script which comes
>with lates VMware.
>While mounting virtual disk drives using the vmware-mount.pl script, a
>temporary file named vmware-mount.pl.PID where PID is the current pid of
>the command will be created in an insecure manner.
VMWare likes to have a good, safe TMPDIR variable set:
$ grep TMP vmware-mount.pl
return defined($ENV{TMPDIR}) ? $ENV{TMPDIR} : "/tmp";
This is a simple variation on an old theme. Make sure you have safe
TMP and TMPDIR variables set at all times. If you want a set of scripts
for safely creating such dirs and setting env vars at login time, see
my TMPDIR scripts at http://www.tux.org/~peterw/
These will also included with the soon-to-be-released Bastille 1.2.0
-Peter
