everybuddy <= 0.4.3 insecure temporary file creation
- To: vuldb@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, vuln@xxxxxxxxxx, moderators@xxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, xforce@xxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, vulnwatch@xxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: everybuddy <= 0.4.3 insecure temporary file creation
- From: Eric Romang / DATACENTER Luxembourg <eromang@xxxxxxxxx>
- Date: Mon, 06 Jun 2005 10:31:15 +0200
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- Organization: DATACENTER Luxembourg
- User-agent: Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.8) Gecko/20050511
#########################################################
everybuddy insecure temporary file creation
Vendor: http://www.everybuddy.com/ (no more vendor URL)
Advisory: http://www.zataz.net/adviso/everybuddy-06062005.txt
Vendor informed: no more vendor
Exploit available: yes
Impact : low
Exploitation : low
#########################################################
The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks in combination to create and
overwrite
arbitrary files with the privileges of the user running the affected script.
##########
Versions:
##########
everybuddy <= 0.4.3
##########
Solution:
##########
Don't use this tool
#########
Timeline:
#########
Discovered : 2005-05-30
Vendor notified : no more vendor
Vendor response : no more vendor
Vendor fix : no fix
Disclosure : 2005-06-06
#####################
Technical details :
#####################
Vulnerable code :
-----------------
modules/utility/autotrans.c
258 g_snprintf(buf, 2048, "rm /tmp/.eb.%s.translator -f ; wget -O
/tmp/.eb.%s.translator
'http://world.altavista.com/sites/gben/pos/babelfish/tr?tt=urltext&lp=%s_%s&urltext=%s'",
259 getenv("USER"), getenv("USER"), from, to, string);
260
261 printf("Running command line:\n%s\n", buf);
262
263 if(system(buf)!=0)
264 {
265 printf("COULD NOT TRANSLATE: %s\n", ostring);
266 free(string);
267 return strdup(ostring);
268 }
269
270 g_snprintf(buf, 2048, "/tmp/.eb.%s.translator", getenv("USER"));
271
272 if((dat=fopen(buf, "r"))==NULL)
273 {
274 printf("COULD NOT TRANSLATE: %s\n", ostring);
275 free(string);
276 return strdup(ostring);
277 }
278
279 pos=0;
280
281 while(!feof(dat))
282 {
283 for(a=0; a<3; a++)
284 {
285 lastfew[a]=lastfew[a+1];
286 }
287 lastfew[3]=(char)getc(dat);
288
289 if(printing>=1)
290 {
291 buf[pos++]=lastfew[3];
292 if(pos==1023) { buf[pos]='\0'; break; }
293 }
294
295 if(!strcmp(lastfew, "</TE"))
296 {
297 printf("Found end\n");
298 if (pos >= 5) {
299 buf[pos-4]='\0';
300 printing++;
301 while(pos>=5 && (buf[pos-5]=='\n' || buf[pos-5]=='\r'))
302 {
303 buf[pos-5]='\0';
304 pos--;
305 }
306 }
307 break;
308 }
#########
Related :
#########
Gentoo Bugs report : http://bugs.gentoo.org/show_bug.cgi?id=94473
#####################
Credits :
#####################
Eric Romang (eromang@xxxxxxxxx - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.)
----------------------------------------------------------------------------
This e-mail and any attached files are confidential and intended solely for the
use of the individual or entity to whom they are addressed. If you have
received this e-mail by mistake, please notify the sender immediately and
delete it from your system. You must not copy the message or disclose its
contents to anyone.
----------------------------------------------------------------------------