From: ZATAZ.net <exploits@zataz.net>
To: moderators@osvdb.org, bugs@securitytracker.com, vuldb@securityfocus.com, vuln@secunia.com, vuln@k-otik.com, submissions@packetstormsecurity.org, news@securiteam.com, xforce@iss.net
Cc: ZATAZ.net <exploits@zataz.net>
Date: Sun, 22 May 2005 12:31:11 +0200
Subject: [OSVDB Mods] Gentoo webapp-config insecure temporary file creation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#########################################################

Gentoo webapp-config insecure temporary file creation

Vendor: http://www.gentoo.org
Advisory: http://www.zataz.net/adviso/webapp-config-05182005.txt
Vendor informed: yes
Exploit available: yes
Impact : high
Exploitation : low

#########################################################

Gentoo webapp-config contain a security flaw wich could allow a
malicious local user to execute command with root privileges.

The vulnerability is due to an insecure temporary file creation.

The exploitation require that the root user install, upgrade or delete
Gentoo provided web application with the webapp-config tool.

##########
Versions:
##########

webapp-config < 1.10-r14

##########
Solution:
##########

Upgrade to net-www/webapp-config 1.10-r14

#########
Timeline:
#########

Discovered : 2005-05-07
Vendor notified : 2005-05-07
Vendor response : 2005-05-07
Vendor fix :  2005-05-08
Disclosure :

#####################
Technical details :
#####################

Vulnerable code :
- -----------------

Begin line 2711

fn_show_postinst ()
{
         if [ ! -f "${MY_APPDIR}/postinst-en.txt" ]; then
                 return
         fi

         local my_file="/tmp/$$.postinst.txt"

         fn_run_vars

         # we create a temporary file, so that we can expand the  
variables
         # that are used in the file

         echo "cat <<webapp-EOF" > "$my_file"
         cat "${MY_APPDIR}/postinst-en.txt" >> "$my_file"
         echo "webapp-EOF" >> "$my_file"

         # execute the temporary file, to generate the output

         echo
         . "$my_file"
         echo

         # it's a temporary file, so let's get rid of it now

         rm -f "$my_file"
}

#####
POC :
#####

http://www.zataz.net/dev/webapp-poc.sh.txt

#########
Related :
#########

Bug report : https://bugs.gentoo.org/show_bug.cgi?id=91785
GLSA : Waiting for it

#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit)
Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, etc.)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFCkF9vXXuxWE8lDAcRAjSjAJ0e4O5D5H2CDWOBex+Aay2BCYVznwCfci+7
KGXba0qvTu5b20ABcBkABKQ=
=7wI3
-----END PGP SIGNATURE-----