BID:2184

squid /tmp File Race Condition Vulnerability

Info

squid /tmp File Race Condition Vulnerability

Bugtraq ID:	2184
Class:	Race Condition Error
CVE:
Remote:	No
Local:	Yes
Published:	Jan 10 2001 12:00AM
Updated:	Jan 10 2001 12:00AM
Credit:	This vulnerability was first announced by Greg KH <[email protected]> on January 10, 2001 via Bugtraq.
Vulnerable:	Wirex Immunix OS 7.0 -Beta Turbolinux Turbolinux Workstation 6.1 Turbolinux Turbolinux 6.0.5 Turbolinux Turbolinux 6.0.4 Turbolinux Turbolinux 6.0.3 Turbolinux Turbolinux 6.0.2 Turbolinux Turbolinux 6.0.1 Turbolinux Turbolinux 6.0 Trustix Secure Linux 1.2 Trustix Secure Linux 1.1 Redhat Linux 7.0 National Science Foundation Squid Web Proxy 2.3 STABLE4 - Caldera OpenLinux Server 3.1 - Immunix Immunix OS 7.0 beta - Immunix Immunix OS 7.0 - Immunix Immunix OS 6.2 - MandrakeSoft Corporate Server 1.0.1 - MandrakeSoft Single Network Firewall 7.2 - Mandriva Linux Mandrake 8.0 - Mandriva Linux Mandrake 7.2 - Mandriva Linux Mandrake 7.1 + Redhat Linux 7.1 ia64 + Redhat Linux 7.1 i386 + Redhat Linux 7.1 alpha + Redhat Linux 7.0 i386 + Redhat Linux 7.0 alpha + Redhat Linux 6.2 sparc + Redhat Linux 6.2 i386 + Redhat Linux 6.2 alpha - SuSE Linux 7.3 - SuSE Linux 7.2 - SuSE Linux 7.1 x86 - SuSE Linux 7.1 sparc - SuSE Linux 7.1 ppc - SuSE Linux 7.1 alpha - SuSE Linux 7.0 sparc - SuSE Linux 7.0 ppc - SuSE Linux 7.0 alpha - SuSE Linux 7.0 - SuSE Linux 6.4 ppc - SuSE Linux 6.4 alpha - SuSE Linux 6.4 - Trustix Secure Linux 1.2 - Trustix Secure Linux 1.1 - Trustix Secure Linux 1.0 1 Mandriva Linux Mandrake 7.2 Mandriva Linux Mandrake 7.1 Mandriva Linux Mandrake 7.0 Mandriva Linux Mandrake 6.1 Mandriva Linux Mandrake 6.0

Not Vulnerable:

Discussion

squid /tmp File Race Condition Vulnerability

squid is a freely available Web Proxy software package, written and maintained by the National Science Foundation. Problems with the software could lead to a race condition.

The problem occurs in the operation of the software and it's creation of /tmp files. The squid package can be configured to send out emails to the administrator when updates occur. However, when the email is created, files in the /tmp directory are created insecurely and the pre-existance of files is not queried. The creation of the files in the /tmp directory normally occur under the conditions of either using a development version of squid, or when the system clock is reporting an incorrect time. Therefore, it is possible for a user with malicious motives to guess the handle of a future /tmp file, and create a symbolic link to a file writable by the UID of the squid process, thus overwriting a file owned by the squid user, or appending to and corrupting the file.