temporary directory
http://www.debian.org/security/ Giuseppe Iuculano
March 15, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : pulseaudio
Vulnerability : insecure temporary directory
Problem type : local
Debian-specific: no
CVE Id : CVE-2009-1299
Debian Bug : 573615
with temporary data. A solution to fix this problem is to use the O_EXCL option
for open(). This option prevents that the file will be opened if it already
exists.
So, how does the file name generation happen? First, cli_gentemp() determines
the temporary directory. Users of the cli_gentemp() function can specify their
own custom temporary directory. If none is specified, then the content of the
TMPDIR environment variable is used. If the environment variable is unset, then
P_tmpdir resp. "/tmp" are used. The generated format of the file name is
$TMPDIR/clamav-$HASH, where $HASH is generated from a fixed 16 byte "salt" and
32 (more or less) random bytes.
Problem Description:
Multiple vulnerabilities has been found and corrected in phpMyAdmin:
libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 creates
a temporary directory with 0777 permissions, which has unknown impact
and attack vectors (CVE-2008-7251).
libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses
predictable filenames for temporary files, which has unknown impact
and attack vectors (CVE-2008-7252).
4) dwnldFile
5) createCmdFile
The proof of concept uses "dwnldFile" and "runCmd" to upload an
arbitrary executable file and store it as "CPSWS.exe" within the
temporary directory of the victim's client system. Then "runCmd" is
being called to automatically run the new malicious "CPSWS.exe" and
compromise the client system.
So it's not just possible to execute commands on the clients but also to
choose one's own arbitrary malicious payload.
In some cases, this attack can be used to convert a local file inclusion
exploit to remote code execution.
Most operating systems don't delete the temporary files created by this
attack even after you restart the web server.
Therefore, a large number of temporary files are left in the temporary
directory (usually /tmp for Unix systems).
You can try to guess the name of one of these filenames and include it.
For this to work, all the uploaded files should contain some PHP script
like: <?php eval($_REQUEST[x]); ?>.
On Windows systems there are only 4 characters used for generating
to administer MySQL over the web. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2008-7251
phpMyAdmin may create a temporary directory, if the configured directory
does not exist yet, with insecure filesystem permissions.
CVE-2008-7252
phpMyAdmin uses predictable filenames for temporary files, which may
/<\/Scope>/ {
n
i\
<Folder TreeDisplay="false"> \
<Name>SUNWrmui Bootstrap Folder</Name> \
<Description>This a temporary folder to workaround a bug. It
should be deleted during install. But if you do see it in the toolbox
editor, do NOT delete it.</Description> \
<Icon>status_16.gif</Icon> \
<LargeIcon>status_32.gif</LargeIcon> \
</Folder>
Affected: 2007.1, 2008.0, Corporate 3.0
_______________________________________________________________________
Problem Description:
Audacity creates a temporary directory with a predictable name without
checking for previous existence of that directory, which allows local
users to cause a denial of service (recording deadlock) by creating
the directory before Audacity is run. This issue can also be leveraged
to delete arbitrary files or directories via a symlink attack.
In general, a standard system upgrade is sufficient to affect the
necessary changes.
Details follow:
Paul Martin discovered that xfs_fsr creates a temporary directory
with insecure permissions. This allows a local attacker to exploit a
race condition in xfs_fsr to read or overwrite arbitrary files on xfs
filesystems.
In case the system is vulnerable, this will read the /etc/passwd file
and will render the contents to an image included in the text. Hence,
content is disclosed.
Rendering takes place in temporary folder by default which should not
be in the scope of the web server. Otherwise even arbitrary code could
be injected to compromise the whole web environment.
By using relative paths with background knowledge of Moodle's path
organization, it is easy to disclose the configuration file with
sensitive data.
void DloadDS(
[in] BSTR bstrUrl,
[in] BSTR bstrName,
[in] long lShow);
When we set the parameter "bstrUrl" as a CAB file which can be download via "http" protocol, "DloadDS()" will try to download this file to Windows Internet Explorer temporary directory and try to execute the file named as parameter "bstrName", the key code as follows:
.text:1006F407 lea eax, [ebp-28h]
.text:1006F40A lea ecx, [ebp-10h]
.text:1006F40D push eax ; lpProcessInformation
.text:1006F40E lea eax, [ebp-6Ch]
symlink attacks to perform certain actions with escalated privileges.
Workaround
==========
Restrict access to the temporary directory to trusted users only.
Resolution
==========
All Website META Language users should upgrade to the latest version:
The d_delete function in fs/ecryptfs/inode.c in eCryptfs in the
Linux kernel 2.6.31 allows local users to cause a denial of service
(kernel OOPS) and possibly execute arbitrary code via unspecified
vectors that cause a negative dentry and trigger a NULL pointer
dereference, as demonstrated via a Mutt temporary directory in an
eCryptfs mount. (CVE-2009-2908)
The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in
the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when
running on x86 systems, does not prevent access to MMU hypercalls
|
