ncompress 不安全临时文件创建漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1197826 漏洞类型 未知
发布时间 2005-09-20 更新时间 2005-09-20
CVE编号 CVE-2005-2991 CNNVD-ID CNNVD-200509-183
漏洞平台 N/A CVSS评分 2.1
|漏洞来源
https://www.securityfocus.com/bid/89298
https://cxsecurity.com/issue/WLB-2005090010
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200509-183
|漏洞详情
ncompress是一个快速压缩软件,兼容于.Z文件,但不兼容.gz文件。ncompress4.2.4版本及早期版本中,本地用户可以通过使用(1)zdiff或(2)zcmp对临时文件发起symlink攻击。
|漏洞EXP
#########################################################

ncompress insecure temporary file creation

Vendor: ftp://ftp.leo.org/pub/comp/os/unix/linux/sunsite/utils/compress/
Advisory: http://www.zataz.net/adviso/ncompress-09052005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#########################################################

The vulnerability is caused due to temporary file being created insecurely.
This can be exploited via symlink attacks in combination with a race
condition to create and overwrite arbitrary files
with the privileges of the user running the affected script.

Secunia has reported that D1g1t4lLeech has discovered this bug
the 2005-09-16

ZATAZ Audit has discovered this bug the 2005-09-05

D1g1t4lLeech is a true Leecher :)

Gentoo Security take care on your IRC Channel, spy everywhere.

##########
Versions:
##########

ncompress <= 4.2.4-r1

##########
Solution:
##########

To prevent symlink attack use kernel patch such as grsecurity

#########
Timeline:
#########

Discovered : 2005-09-05
Vendor notified : 2005-09-05
Vendor response : no reponse
Vendor fix : no patch
Vendor Sec report (vendor-sec (at) lst (dot) de [email concealed]) :
Disclosure :

#####################
Technical details :
#####################

ncompress use vulnerable version off zdiff and zcmp.

#########
Related :
#########

Secunia : http://secunia.com/advisories/13131/
CVE : CAN-2004-0970

#####################
Credits :
#####################

Eric Romang (eromang (at) zataz (dot) net [email concealed] - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.)
|受影响的产品
ncompress ncompress 4.2.4 R1
|参考资料

来源:MISC
链接:http://www.zataz.net/adviso/ncompress-09052005.txt
来源:FULLDISC
名称:20050916ncompressinsecuretemporaryfilecreation
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m=112688098630314&w=2
来源:BUGTRAQ
名称:20050916ncompressinsecuretemporaryfilecreation
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112689772732098&w=2
来源:SREASON
名称:12
链接:http://securityreason.com/securityalert/12