Date: Sun May 12 Problem App: Gaim Messenger Client Problem: Permissions Problem Severity: Low/Medium Results: A local attacker can gain full access to other gaim users hotmail accounts Evidence: See the end of this email for a shell example of this issue Exploitable: Simple if gaim is running, hard if not. ** Gaim Notified & fix available** Yes, and its fixed in the nightly CVS, and will be fixed in version 0.58. It is best to fix this problem until 0.58 comes out on high user systems running gaim - get the latest cvs. Grab the *FIX* here: http://gaim.sourceforge.net/downloads.php After speaking to a developer in the gaim IRC room, it's obvious this bug is known to them, but we agreed everyone else using gaim should be notified with this email. I'd like to take this opportunity to thank the developer for his quick response - good old IRC. :-) cheers! :Problem: I'm using 'gaim' (gaim.sourceforge.net) as a chat client for AOL Instant Messenger and MSN Messenger. I'm running Redhat 7.3, and gaim version 0.57 (the latest). I have included in the gaim setup of the MSN protocol to check for hotmail email when gaim starts (this is done by MSN for windows also). To enable this, run gaim, go into accounts, and open your MSN account listed there and click the option. To make an MSN account, ensure you have gaim to load the MSN plugin when it starts up. Gaim uses /tmp as a dumping ground for many temp files. Here's what the problem is: 1) Gaim starts up and checks your hotmail email (if this option is enabled in your gaim setup) 2) It will create two files in /tmp. These files are named: file<someRandomletters> - e.g: fileFH9e0w or file984345 If you have loads of files in /tmp, its because you run gaim loads of times! Delete them and re-run gaim to get the current two.. 3) These files have permission: 4 -rw-rw-r-- 1 smackenz smackenz 978 May 12 03:01 /tmp/file984345 (smackenz is the gaim user). ** As you can see they are readable by anyone ** If I then close gaim (or leave it open), and go into /tmp as a different user (or even from a different computer..), and use a web browser (for example) konqueror to open one of the two files, it takes you straight to the gaim user's hotmail inbox, where you'll have full access. Of the two files, it seems that each one does this, but if the first doesn't work, try the second. *IMPORTANT* This only works whilst the other user is running gaim, or only for a minute or so *after* the user closes gaim - probably due to the fact that after gaim is closed a session ID from hotmail will change, therefore making your session ID in the 'stolen' file incorrect. That session ID is a total guess btw, I've hardly looked into this problem, but it seems a logical answer due to this: more /tmp/file* <skipped for easy reading>... <input type="hidden" name="auth" value="2AAAAAAAADfFg7dCWdlevXUGqgbzqmlMlWYjtXUaSbSpr*zqdYziwIhw$$"> <input type="hidden" name="creds" value="aec291f9a02b4837de38eb661dbf9847"> *TESTING* To best test for this problem, I suggest you remove all the old files in /tmp called file<something>, then run gaim, and re-check in /tmp - and you'll then be able to distinguish which are the new files. To resolve this issue, a basic method would be to recompile gaim with corrected permission settings for the /tmp files. This would then only allow the gaim user to access the files, and not every other lamer on the system. Thanks. Scott. Below is a shell output of this attack: [smackenz@smackenz smackenz]$ ls /tmp |grep file* [smackenz@smackenz smackenz]$ id uid=500(smackenz) gid=500(smackenz) groups=500(smackenz) [smackenz@smackenz smackenz]$ gaim [smackenz@smackenz smackenz]$ ls /tmp |grep file* file8veFxR fileKGVdms [smackenz@smackenz smackenz]$ su user Password: [user@smackenz smackenz]$ id uid=501(user) gid=501(user) groups=501(user) [user@smackenz user]$ ls -las /tmp/file* 4 -rw-rw-r-- 1 smackenz smackenz 978 May 12 03:11 /tmp/file8veFxR 4 -rw-rw-r-- 1 smackenz smackenz 978 May 12 03:11 /tmp/fileKGVdms [user@smackenz user]$ cd /tmp [user@smackenz tmp]$ ls |grep file fileCHuvIp fileFbpaYB [user@smackenz tmp]$ galeon fileCHuvIp Later. Scott. Bradford Uni, UK. -------------------------------------------------- Greets: deadbeat; "where's my modem man!" :-) --------------------------------------------------
