######################################################### Gentoo webapp-config insecure temporary file creation Vendor: http://www.gentoo.org Advisory: http://www.zataz.net/adviso/webapp-config-05182005.txt Vendor informed: yes Exploit available: yes Impact : high Exploitation : low ######################################################### Gentoo webapp-config contain a security flaw which could allow a malicious local user to execute command with root privileges. The vulnerability is due to an insecure temporary file creation. The exploitation require that the root user install, upgrade or delete Gentoo provided web application with the webapp-config tool. ########## Versions: ########## webapp-config < 1.10-r14 ########## Solution: ########## Upgrade to net-www/webapp-config 1.10-r14 ######### Timeline: ######### Discovered : 2005-05-07 Vendor notified : 2005-05-07 Vendor response : 2005-05-07 Vendor fix : 2005-05-08 Disclosure : 2005-05-22 ##################### Technical details : ##################### Vulnerable code : ----------------- Begin line 2711 fn_show_postinst () { if [ ! -f "${MY_APPDIR}/postinst-en.txt" ]; then return fi local my_file="/tmp/$$.postinst.txt" fn_run_vars # we create a temporary file, so that we can expand the variables # that are used in the file echo "cat < "$my_file" cat "${MY_APPDIR}/postinst-en.txt" >> "$my_file" echo "webapp-EOF" >> "$my_file" # execute the temporary file, to generate the output echo . "$my_file" echo # it's a temporary file, so let's get rid of it now rm -f "$my_file" } ##### POC : ##### http://www.zataz.net/dev/webapp-poc.sh.txt ######### Related : ######### Bug report : https://bugs.gentoo.org/show_bug.cgi?id=91785 GLSA : Waiting for it ##################### Credits : ##################### Eric Romang (eromang@zataz.net - ZATAZ Audit) Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)