[VulnWatch] ncompress insecure temporary file creation

From: ZATAZ Audits (exploits@private)
Date: Fri Sep 16 2005 - 07:00:05 PDT


#########################################################

ncompress insecure temporary file creation

Vendor: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/
Advisory: http://www.zataz.net/adviso/ncompress-09052005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks in combination with a race
condition to create and overwrite arbitrary files
with the privileges of the user running the affected script.

Secunia has reported that D1g1t4lLeech has discovered this bug
the 2005-09-16

ZATAZ Audit has discovered this bug the 2005-09-05

D1g1t4lLeech is a true Leecher :)

Gentoo Security take care on your IRC Channel, spy everywhere.

##########
Versions:
##########

ncompress <= 4.2.4-r1

##########
Solution:
##########

To prevent symlink attack use kernel patch such as grsecurity

#########
Timeline:
#########

Discovered : 2005-09-05
Vendor notified : 2005-09-05
Vendor response : no reponse
Vendor fix : no patch
Vendor Sec report (vendor-sec@private) :
Disclosure :

#####################
Technical details :
#####################

ncompress use vulnerable version off zdiff and zcmp.

#########
Related :
#########

Secunia : http://secunia.com/advisories/13131/
CVE : CAN-2004-0970

#####################
Credits :
#####################

Eric Romang (eromang@private - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.)



This archive was generated by hypermail 2.1.3 : Fri Sep 16 2005 - 10:12:04 PDT