|
GWCC Insecure Temporary File Creation |
|
|
|
|
Wednesday, 21 September 2005 |
Summary
"GWCC allows users to execute network utilities (ping, nslookup, traceroute) and workstation commands (netstat, df, process grep) from a single tabbed window."
GWCC creates temporary files in an insecure manner that allow local attackers to perform symbolic link attacks.
Credit:
The information has been provided by ZATAZ Audits.
The original article can be found at: http://www.zataz.net/adviso/gwcc-09052005.txt
Details
Vulnerable Systems:
* gwcc version 0.9.6-r2 and prior
GWCC creates a constant temporary file on user home directory, or in the /tmp directory if the environment variable is null.
An cause GWCC to create the temporary file name in the /tmp directory, and overwrite files using a symbolic link attack.
Possible Patch:
http://bugs.gentoo.org/attachment.cgi?id=67477:
diff -ru gwcc-0.9.6/src/callbacks.c gwcc-0.9.6.new/src/callbacks.c
--- gwcc-0.9.6/src/callbacks.c 2001-07-26 19:50:16.000000000 +0100
+++ gwcc-0.9.6.new/src/callbacks.c 2005-09-02 14:19:39.344296608 +0100
@@ -1697,10 +1697,14 @@
}
// Create temp file to be Printed (via file saving function).
- perform_file_save("temp", NULL);
+ if (perform_file_save("temp", NULL) != 0)
+ return;
// Pipe print command and voila!, the doc is printed.
- strcat(print_command, " /tmp/gwcc_out.txt");
+ snprintf (print_command + strlen(print_command),
+ sizeof(print_command) - strlen(print_command) - 1,
+ " %s%s", getenv("HOME"), "/gwcc_temp.txt");
+
if (system(print_command) == -1) {
// sprintf(entry_text, "The System Call %s failed!", print_command);
gnome_dialog_run_and_close(GNOME_DIALOG(gnome_error_dialog(entry_text)));
diff -ru gwcc-0.9.6/src/prefs.c gwcc-0.9.6.new/src/prefs.c
--- gwcc-0.9.6/src/prefs.c 2001-07-15 07:00:30.000000000 +0100
+++ gwcc-0.9.6.new/src/prefs.c 2005-09-02 14:04:41.998713872 +0100
@@ -27,6 +27,7 @@
#include /* for string functs */
#include /* for open() command */
#include /* for mkdir() funct */
+ #include
#include "prefs.h"
#include "interface.h"
#include "support.h"
diff -ru gwcc-0.9.6/src/utils.c gwcc-0.9.6.new/src/utils.c
--- gwcc-0.9.6/src/utils.c 2001-05-15 04:42:21.000000000 +0100
+++ gwcc-0.9.6.new/src/utils.c 2005-09-02 14:20:07.050084688 +0100
@@ -91,16 +91,15 @@
}
gtk_widget_destroy(GTK_WIDGET(user_data));
}
- else if (strcmp(operation, "temp") == 0) {
- strcat(file_name, "/tmp/gwcc_out.txt");
- }
- else if (strcmp(operation, "home") == 0) {
- env_homedir = getenv("HOME");
- if (env_homedir == NULL) {
- strcpy(env_homedir, "/tmp");
- }
- strcpy(file_name, env_homedir);
- strcat(file_name, "/gwcc_out.txt");
+ else if ((strcmp(operation, "temp") == 0) || strcmp(operation, "home") == 0) {
+ env_homedir = getenv("HOME");
+ if (env_homedir == NULL)
+ return 1;
+ strcpy(file_name, env_homedir);
+ if (strcmp(operation, "home") == 0)
+ strcat(file_name, "/gwcc_out.txt");
+ else
+ strcat(file_name, "/gwcc_temp.txt");
}
// Get the number (int) of current notebook page (0...n-1),
|