Ads ARC Insecure Temporary File Creation Wednesday, 21 September 2005 Summary ARC is "used to create and maintain file archives. An archive is a group of files collected together into one file in such a way that the individual files may be recovered intact". A vulnerability in ARC is caused due to temporary file being created insecurely. The temporary file used for archive creation could be read by untrusted users. Credit: The information has been provided by ZATAZ Audits. The original article can be found at: http://www.zataz.net/adviso/arc-09052005.txt Details Vulnerable Systems: * ARC versions 5.21j and prior. Vulnerable code: arc.c : 210 /* see where temp files go */ 211 #if !_MTS 212 arctemp = calloc(1, STRLEN); 213 if (!(arctemp2 = envfind("ARCTEMP"))) 214 arctemp2 = envfind("TMPDIR"); 215 if (arctemp2) { 216 strcpy(arctemp, arctemp2); 217 n = strlen(arctemp); 218 if (arctemp[n - 1] != CUTOFF) 219 arctemp[n] = CUTOFF; 220 } 221 #if UNIX 222 else strcpy(arctemp, "/tmp/"); 223 #endif 224 #if !MSDOS 225 { 226 static char tempname[] = "AXXXXXX"; 227 strcat(arctemp, mktemp(tempname)); 228 } 229 #else 230 strcat(arctemp, "$ARCTEMP"); 231 #endif 232 #else 233 guinfo("SHFSEP ", gotinf); 234 sepchr[0] = gotinf[0]; 235 guinfo("SCRFCHAR", gotinf); 236 tmpchr[0] = gotinf[0]; 237 arctemp = "-$$$"; 238 arctemp[0] = tmpchr[0]; 239 #endif 240 arctemp2 = NULL; 241 242 #if !UNIX 243 /* avoid any case problems with arguments */ 244 245 for (n = 1; n < num; n++) /* for each argument */ 246 upper(arg[n]); /* convert it to uppercase */ 247 #else 248 /* avoid case problems with command options */ 249 upper(arg[1]); /* convert to uppercase */ 250 #endif 251 252 /* create archive names, supplying defaults */ 253 #if UNIX 254 if (!stat(arg[2],&sbuf)) { 255 if ((sbuf.st_mode & S_IFMT) == S_IFDIR) 256 makefnam(arg[2],".arc",arcname); 257 else 258 strcpy(arcname,arg[2]); 259 } else 260 makefnam(arg[2],".arc",arcname); 261 #else 262 makefnam(arg[2], ".ARC", arcname); 263 #endif Take a look on a the right off temporary files in /tmp : -rw-r--r-- 1 root root 1564 Sep 5 10:28 A3C6Zs4.arc The file should not be world readable. The same problem exists in marc.c   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.