[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #29755] gdomap information disclosure vulnerabilities

From: Dan Rosenberg
Subject: [bug #29755] gdomap information disclosure vulnerabilities
Date: Mon, 03 May 2010 18:05:56 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3


                 Summary: gdomap information disclosure vulnerabilities
                 Project: GNUstep
            Submitted by: drosenbe
            Submitted on: Mon 03 May 2010 06:05:55 PM GMT
                Category: Application
                Severity: 3 - Normal
              Item Group: Bug
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any



I've discovered two security vulnerabilities in gdomap, which was installed
on my Linux machine setuid root.  These bugs allow unprivileged local users to
read the contents of arbitrary files.

When invoked with the -c (config file for probe) flag, gdomap reads a
user-specified file without confirming its ownership or permissions, and then
attempts to parse it as a configuration file. In a failed attempt to parse,
gdomap will print an error message containing the full contents of the
provided file, allowing an unprivileged local user to read anything on disk.
This also occurs when gdomap is invoked with the -a (config file for interface
list) flag, which uses a separate (but nearly identical) code path.

This behavior can by confirmed by:

$ gdomap -c /etc/shadow


$ gdomap -a /etc/shadow

The ability to read arbitrary files on disk can easily result in privilege
escalation (reading SSH keys, etc.). To mitigate the issue, permissions should
be dropped to that of the invoking user prior to attempting to open a provided
configuration file.

I've reported this bug downstream on Ubuntu's Launchpad, and their security
team suggested I file a report with you.  Let me know if you need any more
information about this vulnerability.


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]