Re: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution

To: vim_dev@xxxxxxxxxxxxxxxx
Subject: Re: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
From: "Nikolai Weibull" <now@xxxxxxxx>
Date: Fri, 18 Jul 2008 09:38:28 +0200
Cc: bugs@xxxxxxx, vim-dev@xxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=72iMEoQZgqnsaXXlaA0PtWpYeP/BvxqmNFy6MwsOaaw=; b=S0xfbcLtCclk8iHWtH3BORGYOMCYsTZpDWNrfkgn2JuONEdnHTtrtkxG1o1rikuf7A adv/Ayc0M6Z1ds03ZCQWn4ZwfdP1qRwelYHQsXANVix8WgoPi4V+MfTdGvCLamLygWyl QltFB2LfWu2vjyg383//pbdsmdaSunWnZnVIU=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=UKla6o/CGBsAbg7LH6a66q03/b4MqjyOk63GcrK/AV60N6GnyVaUfKpCwhhs80kHup OvEje9/NwUnytO+B9a14+bCpuAMcIalIy5dDb9KFSiggVxDBLM095IO05zQugZZkQn+j aFWhDJGr6vcI0ubBmCJOQYVbpqQtcAmAWjGy0=
In-reply-to: <6edf76c20807171554n255ccd8cka58ca41dc1fca7b0@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <6edf76c20807171554n255ccd8cka58ca41dc1fca7b0@xxxxxxxxxxxxxx>
Sender: nikolai.weibull@xxxxxxxxx

On Fri, Jul 18, 2008 at 00:54, Jan Minář <rdancer@xxxxxxxxxxx> wrote:

> The attacker has to create the temporary file
> ``/tmp/Makefile-conf<PID>'' before it is first written to at (1).  In
> the time between (1) and (2), arbitrary commands can be written to the
> file.  They will be executed at (2).

> Patch fixing this vulnerability can be found at the following URL:
>
>           http://www.rdancer.org/vulnerablevim-configure.in.patch

Using mktemp is a lot safer than using $$, but the file can still be
written to between the creation and setup of the file and the eval.
Dealing with temporary files in shell scripts is always racy.  This
fixes the easily guessed PID-pattern problem and as mktemp creates its
file in a hopefully non-shared directory, increases security a great
deal, but it's still racy.

Why not use pipes instead?

eval "`cd /usr/lib/python2.4/config && (cat Makefile - <<'eof'
__:
        @echo "python_MODLIBS='$(MODLIBS)'"
        @echo "python_LIBS='$(LIBS)'"
        @echo "python_SYSLIBS='$(SYSLIBS)'"
        @echo "python_LINKFORSHARED='$(LINKFORSHARED)'"
eof
) | make -f - __ | sed '/ directory /d'`"

(I really don't see the point of the sed.  Isn't that information
output to stderr anyway (in which case it should be suppressed?))

I'm not sure if this requires too much from make and sh, though.  It
works with Bash's sh emulation.

References:
- Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
  - From: Jan Minář

Prev by Date: [ISecAuditors Security Advisories] SmbClientParser Perl module allows remote command execution
Next by Date: [DSECRG-08-030] Claroline 1.8.9 Multiple Security Vulnerabilities
Previous by thread: Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
Next by thread: Re: [Full-disclosure] Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution
Index(es):
- Date
- Thread