ncompress insecure temporary file creation
- To: vuldb@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, vuln@xxxxxxxxxx, moderators@xxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, xforce@xxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, vulnwatch@xxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: ncompress insecure temporary file creation
- From: ZATAZ Audits <exploits@xxxxxxxxx>
- Date: Fri, 16 Sep 2005 16:00:05 +0200
- Cc: "Eric Romang / ZATAZ.com" <eromang@xxxxxxxxx>
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- Organization: ZATAZ Audits
- Reply-to: exploits@xxxxxxxxx
- User-agent: Mozilla/5.0 (X11; U; Linux i686; fr-FR; rv:1.7.10) Gecko/20050716
#########################################################
ncompress insecure temporary file creation
Vendor: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/
Advisory: http://www.zataz.net/adviso/ncompress-09052005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#########################################################
The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks in combination with a race
condition to create and overwrite arbitrary files
with the privileges of the user running the affected script.
Secunia has reported that D1g1t4lLeech has discovered this bug
the 2005-09-16
ZATAZ Audit has discovered this bug the 2005-09-05
D1g1t4lLeech is a true Leecher :)
Gentoo Security take care on your IRC Channel, spy everywhere.
##########
Versions:
##########
ncompress <= 4.2.4-r1
##########
Solution:
##########
To prevent symlink attack use kernel patch such as grsecurity
#########
Timeline:
#########
Discovered : 2005-09-05
Vendor notified : 2005-09-05
Vendor response : no reponse
Vendor fix : no patch
Vendor Sec report (vendor-sec@xxxxxx) :
Disclosure :
#####################
Technical details :
#####################
ncompress use vulnerable version off zdiff and zcmp.
#########
Related :
#########
Secunia : http://secunia.com/advisories/13131/
CVE : CAN-2004-0970
#####################
Credits :
#####################
Eric Romang (eromang@xxxxxxxxx - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.)