Helix Code "go-gnome" /tmp Symlink Vulnerability
BID:1622
Info
Helix Code "go-gnome" /tmp Symlink Vulnerability
| Bugtraq ID: | 1622 |
| Class: | Origin Validation Error |
| CVE: |
CVE-2000-0724 |
| Remote: | No |
| Local: | Yes |
| Published: | Aug 29 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | First posted to Bugtraq by peterw <[email protected]> on August 29, 2000. |
| Vulnerable: |
Helix Code Go-Gnome Pre-Installer 1.5 |
| Not Vulnerable: |
Helix Code Go-Gnome Pre-Installer 1.5 .2 |
Discussion
Helix Code "go-gnome" /tmp Symlink Vulnerability
Go-Gnome is a system created by Helix Code to download the files necessary to install Helix Code Gnome easily and automatically. It is basically a shellscript served by go-gnome.com that is dumped into a textfile with lynx and then executed. Go-Gnome, when run, creates a number of temporary files in /tmp with predictable filenames. Since /tmp is world writeable, if a malicious user knows in advance that root is going to be using go-gnome to install Gnome, symbolic links to arbitrary files on the filesystem with filenames of files written to /tmp by go-gnome can be created before go-gnome runs. When go-gnome is executed, it will attempt to write to these files but will instead write to whatever is pointed to by the symbolic links. Thus it is possible for an attacker, with knowledge that go-gnome will be run, to overwrite any files on the filesystem. This can lead to a denial of service or in some cases compromise of the system.
Go-Gnome is a system created by Helix Code to download the files necessary to install Helix Code Gnome easily and automatically. It is basically a shellscript served by go-gnome.com that is dumped into a textfile with lynx and then executed. Go-Gnome, when run, creates a number of temporary files in /tmp with predictable filenames. Since /tmp is world writeable, if a malicious user knows in advance that root is going to be using go-gnome to install Gnome, symbolic links to arbitrary files on the filesystem with filenames of files written to /tmp by go-gnome can be created before go-gnome runs. When go-gnome is executed, it will attempt to write to these files but will instead write to whatever is pointed to by the symbolic links. Thus it is possible for an attacker, with knowledge that go-gnome will be run, to overwrite any files on the filesystem. This can lead to a denial of service or in some cases compromise of the system.
Exploit / POC
Helix Code "go-gnome" /tmp Symlink Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Helix Code "go-gnome" /tmp Symlink Vulnerability
Helix Code Go-Gnome Pre-Installer 1.5
Helix Code Go-Gnome Pre-Installer 1.5
-
Helix Code go-gnome 1.5.2
http://go-gnome.com
References
Helix Code "go-gnome" /tmp Symlink Vulnerability
References:
References:
- Go-Gnome Server (Helix Code, Inc.)
- Helix Code Homepage (Helix Code, Inc.)