<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution



On Friday 18 July 2008, Jan Minář wrote:
...
> 3. Vulnerability
>
> During the build process, a temporary file with a predictable name is
> created in the ``/tmp'' directory.  This code is run when Vim is
> being build with Python support:
>
> src/configure.in:
>
>          677         dnl -- we need to examine Python's
> config/Makefile too 678         dnl    see what the interpreter is
> built from 679         AC_CACHE_VAL(vi_cv_path_python_plibs,
>          680         [
>          681             tmp_mkf="/tmp/Makefile-conf$$"
>   (1)--> 682             cat ${PYTHON_CONFDIR}/Makefile - <<'eof'
> >${tmp_mkf} 683 __:
>          684         @echo "python_MODLIBS='$(MODLIBS)'"
>          685         @echo "python_LIBS='$(LIBS)'"
>          686         @echo "python_SYSLIBS='$(SYSLIBS)'"
>          687         @echo "python_LINKFORSHARED='$(LINKFORSHARED)'"
>          688 eof
>          689             dnl -- delete the lines from make about
> Entering/Leaving directory
>   (2)--> 690             eval "`cd ${PYTHON_CONFDIR} && make -f
> ${tmp_mkf} __ | sed '/ directory /d'`"
>          691             rm -f ${tmp_mkf}
>
> The attacker has to create the temporary file
> ``/tmp/Makefile-conf<PID>'' before it is first written to at (1).  In
> the time between (1) and (2), arbitrary commands can be written to
> the file.  They will be executed at (2).

The commands do not have to be written there between (1) and (2), they 
can be in the file long before the ./configure was started -- just 
because the script does care whether it can write to the file at all. 
So unlike stated in the advisory, and in CVE-2008-3294, the issue does 
not involve a race condition if the attacker would choose to create a 
644 file.

Robert

Attachment: signature.asc
Description: This is a digitally signed message part.