<<< Date Index >>>     <<< Thread Index >>>

cdwrite 1.3 insecure tmp file handling vulnerability.



#########################################################

Application: cdwrite 1.3
Versions: 1.3
Vendor: Cezary M. Kruk & H. P. de Vries
Impact: Could allow attacker to overwrite/manipulate
files as the user running cdwrite.
Vendor status: Vendor contacted, no reply yet.
Date: 06/12/03

#########################################################



~*~*~*~*~*~*~*~
Introduction
~*~*~*~*~*~*~*~

"Cdwrite is the shell for creation of data and audio
disks, including compilations. It allows to use
pregaps and recognizes indices. The shell needs
mkisofs and cdrecord for data and cdparanoia,
cdda2wav, cdrdao, and -- optionally -- lame for
audio.".  However, there exists a vulnerability in the
way that cdwrite 1.3 handles tmp files.  This could
result in an attacker manipulating or overwriting
files as the user running cdwrite 1.3.


~*~*~*~*~*~*~*~
The Bug
~*~*~*~*~*~*~*~

The bug occurs when cdwrite 1.3 creates a temp file
(by default '/tmp/.tempfile') to store certain things,
never checking the validity or authenticity of the
file before writing to, reading from or executing the
tmp file.  Consequently, an attacker could create a
symlink from the tmp file (/tmp/.tempfile) to a file
owned by (or a file which the user has write
permissions to) the user running cdwrite 1.3, causing
arbitrary files to be overwritten/manipulated as the
user invoking cdwrite.


~*~*~*~*~*~*~*~
The Exploit
~*~*~*~*~*~*~*~

No exploit code is necessary.  All that is required is
that an attacker symlinks the file to an arbitrary
file of her choice during the execution of the cdwrite
1.3 script.  Example

---SNIP
ls -al /tmp/.tempfile
ln -s /etc/nologin /tmp/.tempfile
---SNIP

Assuming it was the root user which invoked the
cdwrite script, all users except root would now be
temporarily locked out of the system, due to the
existance of /etc/nologin.

More critical system files could be overwritten or
manipulated, but above serves as an illustrating
example.  As a matter of severity, at the end of the
script, cdwrite 1.3 deletes (rm -f /tmp/.tempfile) the
created tmp file, thus important system files could be
DELETED altogether assuming that cdwrite 1.3 is
executed by root.


~*~*~*~*~*~*~*~
The Fix
~*~*~*~*~*~*~*~

I contacted the vendor (Cezary M. Kruk) earlier, he
may decide to patch this issue, or not.  The issue
would not be particuarly hard to fix, but I'll wait
for Cezary's response.



~*~*~*~*~*~*~*~
Credit
~*~*~*~*~*~*~*~

This vulnerability was discovered by Shaun Colley /
shaun2k2 on 06/12/03.



Merry Christmas all!



Thank you for your time.
Shaun.




________________________________________________________________________
BT Yahoo! Broadband - Save £80 when you order online today. Hurry! Offer ends 
21st December 2003. The way the internet was meant to be. 
http://uk.rd.yahoo.com/evt=21064/*http://btyahoo.yahoo.co.uk