[40339] in bugtraq
ncompress insecure temporary file creation
daemon@ATHENA.MIT.EDU (ZATAZ Audits)
Fri Sep 16 15:08:02 2005
Message-ID: <432ACFE5.1000006@zataz.net>
Date: Fri, 16 Sep 2005 16:00:05 +0200
From: ZATAZ Audits <exploits@zataz.net>
Reply-To: exploits@zataz.net
MIME-Version: 1.0
To: vuldb@securityfocus.com, vuln@secunia.com, vuln@k-otik.com,
moderators@osvdb.org, bugs@securitytracker.com,
submissions@packetstormsecurity.org, news@securiteam.com,
xforce@iss.net, bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Cc: "Eric Romang / ZATAZ.com" <eromang@zataz.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
#########################################################
ncompress insecure temporary file creation
Vendor: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/
Advisory: http://www.zataz.net/adviso/ncompress-09052005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#########################################################
The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks in combination with a race
condition to create and overwrite arbitrary files
with the privileges of the user running the affected script.
Secunia has reported that D1g1t4lLeech has discovered this bug
the 2005-09-16
ZATAZ Audit has discovered this bug the 2005-09-05
D1g1t4lLeech is a true Leecher :)
Gentoo Security take care on your IRC Channel, spy everywhere.
##########
Versions:
##########
ncompress <= 4.2.4-r1
##########
Solution:
##########
To prevent symlink attack use kernel patch such as grsecurity
#########
Timeline:
#########
Discovered : 2005-09-05
Vendor notified : 2005-09-05
Vendor response : no reponse
Vendor fix : no patch
Vendor Sec report (vendor-sec@lst.de) :
Disclosure :
#####################
Technical details :
#####################
ncompress use vulnerable version off zdiff and zcmp.
#########
Related :
#########
Secunia : http://secunia.com/advisories/13131/
CVE : CAN-2004-0970
#####################
Credits :
#####################
Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.)
