LutelWall <= 0.97 insecure temporary file creation
- To: vuldb@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, vuln@xxxxxxxxxx, moderators@xxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, xforce@xxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, vulnwatch@xxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: LutelWall <= 0.97 insecure temporary file creation
- From: ZATAZ Audits <exploits@xxxxxxxxx>
- Date: Mon, 06 Jun 2005 10:21:54 +0200
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- Organization: ZATAZ Audits
- User-agent: Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.8) Gecko/20050511
#########################################################
LutelWall insecure temporary file creation
Vendor: http://firewall.lutel.pl/index.php
Advisory: http://www.zataz.net/adviso/lutelwall-05222005.txt
Vendor informed: yes
Exploit available: yes
Impact : medium
Exploitation : low
#########################################################
The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks to create and overwrite
arbitrary files
with the privileges of the user running the affected script.
The exploitation require that the root try to update the software.
##########
Versions:
##########
LutelWall <= 0.97
##########
Solution:
##########
non solution yet.
#########
Timeline:
#########
Discovered : 2005-05-22
Vendor notified : 2005-05-22
Vendor response : none
Vendor fix : no fix
Disclosure : 2005-06-06
#####################
Technical details :
#####################
Vulnerable code :
-----------------
# Prefix of temporary firewall files
tmp='/tmp/lutelwall'
new_version_check () { # Check for new version of script
if [ "`wget -V 2>&1 >/dev/null`" ]; then
message 3 "Warrning: Wget is required to check for updates."
else
new_ver=`wget -C off -O - -q -t 1 -T 3 -w 3 -U "\`uname -a 2>&1\`"
http://firewall.lutel.pl/ver`
if [ `echo $current_version | gawk '{ gsub("\\\.","") ; print 1$0 }'`
-lt `echo $new_ver | gawk '{ gsub("\\\.","") ; print 1$0 }'` ]; then
echo -e "\nThere is newer version of LutelWall (${new_ver})"
echo -n " Changes since previous version:"
echo `wget -C off -O $tmp-newfeat -q -t 1 -T 3 -w 3
http://firewall.lutel.pl/FEATURES-${new_ver}`
cat $tmp-newfeat
echo "Do you want to update [y/N]? "
read -s -t 5 -n 1 ln
if [ "$ln" = 'y' -o "$ln" = 'Y' ]; then
wget -O $tmp-script -q -T 3 http://firewall.lutel.pl/lutelwall
cat $tmp-script > $0
rm -rf $tmp-script
echo "Your firewall is up to date, exiting after update!"
exit
else
message 5 "Update aborted"
fi
else
message 5 "LutelWall is up-to-date"
fi;
fi;
}
#########
Related :
#########
nothing related
#####################
Credits :
#####################
Eric Romang (eromang@xxxxxxxxx - ZATAZ Audit)