[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] More /tmp fun (PHP, Lynis)



After reading about today's "Check, rootkit" vulnerability (CVE-2014-0476),
I thought I'd share these stupid bugs:

BUG #1 - PHP's ./configure script writes a predictable filename to /tmp
allowing for a symlink attack against the user running the script

From PHP 5.5.13:

 18045 #include <stdio.h>
 18046 int main(int argc, char *argv[])
 18047 {
 18048   FILE *fp;
 18049   long position;
 18050   char *filename = "/tmp/phpglibccheck";
 18051
 18052   fp = fopen(filename, "w");
 18053   if (fp == NULL) {
 18054     perror("fopen");
 18055     exit(2);
 18056   }
 18057   fputs("foobar", fp);
 18058   fclose(fp);
 18059
 18060   fp = fopen(filename, "a+");
 18061   position = ftell(fp);
 18062   fclose(fp);
 18063   unlink(filename);
 18064   if (position == 0)
 18065   return 1;
 18066   return 0;
 18067 }

Reported to security@xxxxxxx twice, no response ever received:
  September 22, 2012
  January 8, 2013

This issue goes back at least 10+ years, but no one configures/compiles PHP
as root and your files aren't important anyway.


BUG #2 - Lynis 1.5.4 (and presumably earlier) writes a predictable filename
to /tmp allowing for a symlink attack against the user running the script
Website: rootkit.nl

This utility, which is similar in nature to "chkrootkit" and "rkhunter" and
must be run as root, also writes a predictable filename to /tmp (you'll
have to win a race for this one). Unreported, because this is security
software. Therefore it is secure. (The logic is intentional. What's to
report?)

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/