[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] More /tmp fun (PHP, Lynis)
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] More /tmp fun (PHP, Lynis)
- From: A B <icanbenchpressmykeyboard@xxxxxxxxx>
- Date: Wed, 4 Jun 2014 17:50:13 -0400
After reading about today's "Check, rootkit" vulnerability (CVE-2014-0476),
I thought I'd share these stupid bugs:
BUG #1 - PHP's ./configure script writes a predictable filename to /tmp
allowing for a symlink attack against the user running the script
From PHP 5.5.13:
18045 #include <stdio.h>
18046 int main(int argc, char *argv[])
18047 {
18048 FILE *fp;
18049 long position;
18050 char *filename = "/tmp/phpglibccheck";
18051
18052 fp = fopen(filename, "w");
18053 if (fp == NULL) {
18054 perror("fopen");
18055 exit(2);
18056 }
18057 fputs("foobar", fp);
18058 fclose(fp);
18059
18060 fp = fopen(filename, "a+");
18061 position = ftell(fp);
18062 fclose(fp);
18063 unlink(filename);
18064 if (position == 0)
18065 return 1;
18066 return 0;
18067 }
Reported to security@xxxxxxx twice, no response ever received:
September 22, 2012
January 8, 2013
This issue goes back at least 10+ years, but no one configures/compiles PHP
as root and your files aren't important anyway.
BUG #2 - Lynis 1.5.4 (and presumably earlier) writes a predictable filename
to /tmp allowing for a symlink attack against the user running the script
Website: rootkit.nl
This utility, which is similar in nature to "chkrootkit" and "rkhunter" and
must be run as root, also writes a predictable filename to /tmp (you'll
have to win a race for this one). Unreported, because this is security
software. Therefore it is secure. (The logic is intentional. What's to
report?)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/