######################################################### Application: cdwrite 1.3 Versions: 1.3 Vendor: Cezary M. Kruk & H. P. de Vries Impact: Could allow attacker to overwrite/manipulate files as the user running cdwrite. Vendor status: Vendor contacted, no reply yet. Date: 06/12/03 ######################################################### ~*~*~*~*~*~*~*~ Introduction ~*~*~*~*~*~*~*~ "Cdwrite is the shell for creation of data and audio disks, including compilations. It allows to use pregaps and recognizes indices. The shell needs mkisofs and cdrecord for data and cdparanoia, cdda2wav, cdrdao, and -- optionally -- lame for audio.". However, there exists a vulnerability in the way that cdwrite 1.3 handles tmp files. This could result in an attacker manipulating or overwriting files as the user running cdwrite 1.3. ~*~*~*~*~*~*~*~ The Bug ~*~*~*~*~*~*~*~ The bug occurs when cdwrite 1.3 creates a temp file (by default '/tmp/.tempfile') to store certain things, never checking the validity or authenticity of the file before writing to, reading from or executing the tmp file. Consequently, an attacker could create a symlink from the tmp file (/tmp/.tempfile) to a file owned by (or a file which the user has write permissions to) the user running cdwrite 1.3, causing arbitrary files to be overwritten/manipulated as the user invoking cdwrite. ~*~*~*~*~*~*~*~ The Exploit ~*~*~*~*~*~*~*~ No exploit code is necessary. All that is required is that an attacker symlinks the file to an arbitrary file of her choice during the execution of the cdwrite 1.3 script. Example ---SNIP ls -al /tmp/.tempfile ln -s /etc/nologin /tmp/.tempfile ---SNIP Assuming it was the root user which invoked the cdwrite script, all users except root would now be temporarily locked out of the system, due to the existance of /etc/nologin. More critical system files could be overwritten or manipulated, but above serves as an illustrating example. As a matter of severity, at the end of the script, cdwrite 1.3 deletes (rm -f /tmp/.tempfile) the created tmp file, thus important system files could be DELETED altogether assuming that cdwrite 1.3 is executed by root. ~*~*~*~*~*~*~*~ The Fix ~*~*~*~*~*~*~*~ I contacted the vendor (Cezary M. Kruk) earlier, he may decide to patch this issue, or not. The issue would not be particuarly hard to fix, but I'll wait for Cezary's response. ~*~*~*~*~*~*~*~ Credit ~*~*~*~*~*~*~*~ This vulnerability was discovered by Shaun Colley / shaun2k2 on 06/12/03. Merry Christmas all! Thank you for your time. Shaun. ________________________________________________________________________ BT Yahoo! Broadband - Save £80 when you order online today. Hurry! Offer ends 21st December 2003. The way the internet was meant to be. http://uk.rd.yahoo.com/evt=21064/*http://btyahoo.yahoo.co.uk
