IRIX inpview Race Condition Vulnerability
BID:1530
Info
IRIX inpview Race Condition Vulnerability
| Bugtraq ID: | 1530 |
| Class: | Race Condition Error |
| CVE: |
CVE-2000-0799 |
| Remote: | No |
| Local: | Yes |
| Published: | Aug 02 2000 12:00AM |
| Updated: | Jul 14 2007 11:06AM |
| Credit: | This vulnerability was posted to the Bugtraq mailing list by LSD <[email protected]> (Last Stages of Delirium) on August 2, 2000. |
| Vulnerable: |
SGI IRIX 6.5.8 SGI IRIX 6.5.7 SGI IRIX 6.5.6 SGI IRIX 6.5.4 SGI IRIX 6.5.3 m SGI IRIX 6.5.3 f SGI IRIX 6.5.3 SGI IRIX 6.5.2 m SGI IRIX 6.5.1 SGI IRIX 6.5 |
| Not Vulnerable: | |
Discussion
IRIX inpview Race Condition Vulnerability
Certain versions of IRIX ship with a version of inpview that creates files in '/var/tmp/' in an insecure manner and is therefore prone to a race condition.
InPerson's 'inpview' is a networked multimedia conferencing tool. InPerson provides multiway audio and video conferencing with a shared whiteboard, combined into a single, easy-to-use application. You use a separate "phone" tool to place and answer calls.
The 'inpview' program writes out temporary files in the '/var/tmp' directory. Because these filenames are not random, an attacker can create a symlink to a previously created filename and force the SUID 'inpview' to overwrite the file with 'rw-rw-rw' permissions.
Certain versions of IRIX ship with a version of inpview that creates files in '/var/tmp/' in an insecure manner and is therefore prone to a race condition.
InPerson's 'inpview' is a networked multimedia conferencing tool. InPerson provides multiway audio and video conferencing with a shared whiteboard, combined into a single, easy-to-use application. You use a separate "phone" tool to place and answer calls.
The 'inpview' program writes out temporary files in the '/var/tmp' directory. Because these filenames are not random, an attacker can create a symlink to a previously created filename and force the SUID 'inpview' to overwrite the file with 'rw-rw-rw' permissions.
Exploit / POC
IRIX inpview Race Condition Vulnerability
The following exploit is available:
The following exploit is available:
Solution / Fix
IRIX inpview Race Condition Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
References
IRIX inpview Race Condition Vulnerability
References:
References:
- LSD Home Page (LSD)
- SGI Support (Silicon Graphics Inc.)
- Welcome to SGI (Silicon Graphics Inc.)