RETIRED: mktemp Predictable Temporary Filename Vulnerability
BID:30701
Info
RETIRED: mktemp Predictable Temporary Filename Vulnerability
| Bugtraq ID: | 30701 |
| Class: | Design Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Aug 15 2008 12:00AM |
| Updated: | Aug 26 2008 02:36PM |
| Credit: | Dirk Wetter |
| Vulnerable: |
Todd Miller mktemp 1.5 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 |
| Not Vulnerable: | |
Discussion
RETIRED: mktemp Predictable Temporary Filename Vulnerability
The 'mktemp' utility may create temporary files with names based on the current process ID. An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Attackers may be able to gain elevated privileges.
This vulnerability resides in Todd Miller's mktemp 1.5; other versions may also be vulnerable. GNU coreutils mktemp is not currently believed to be vulnerable.
UPDATE (August 8, 2008): This issue is being retired. Since the temporary file is created with 'O_EXCL', this issue is not exploitable. Attacks may be possible when mktemp is called with the '-u' option, but this is documented as an unsafe mode. Any exploitable use of this script would be a vulnerability in third-party scripts, not in 'mktemp' itself.
The 'mktemp' utility may create temporary files with names based on the current process ID. An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Attackers may be able to gain elevated privileges.
This vulnerability resides in Todd Miller's mktemp 1.5; other versions may also be vulnerable. GNU coreutils mktemp is not currently believed to be vulnerable.
UPDATE (August 8, 2008): This issue is being retired. Since the temporary file is created with 'O_EXCL', this issue is not exploitable. Attacks may be possible when mktemp is called with the '-u' option, but this is documented as an unsafe mode. Any exploitable use of this script would be a vulnerability in third-party scripts, not in 'mktemp' itself.
Exploit / POC
RETIRED: mktemp Predictable Temporary Filename Vulnerability
An attacker uses readily available commands to exploit this issue.
An attacker uses readily available commands to exploit this issue.
Solution / Fix
RETIRED: mktemp Predictable Temporary Filename Vulnerability
Solution:
Debian has released a fix. Please see the references for more information.
Solution:
Debian has released a fix. Please see the references for more information.
References
RETIRED: mktemp Predictable Temporary Filename Vulnerability
References:
References:
- mktemp generated string partly not random (Dirk Wetter)
- mktemp Homepage (Todd Miller)
- Re: CVE id request: mktemp (Sebastian Krahmer)