[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #29755] gdomap information disclosure vulnerabilities
|
From: |
Dan Rosenberg |
|
Subject: |
[bug #29755] gdomap information disclosure vulnerabilities |
|
Date: |
Mon, 03 May 2010 18:05:56 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 |
URL:
<http://savannah.gnu.org/bugs/?29755>
Summary: gdomap information disclosure vulnerabilities
Project: GNUstep
Submitted by: drosenbe
Submitted on: Mon 03 May 2010 06:05:55 PM GMT
Category: Application
Severity: 3 - Normal
Item Group: Bug
Status: None
Privacy: Private
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
I've discovered two security vulnerabilities in gdomap, which was installed
on my Linux machine setuid root. These bugs allow unprivileged local users to
read the contents of arbitrary files.
When invoked with the -c (config file for probe) flag, gdomap reads a
user-specified file without confirming its ownership or permissions, and then
attempts to parse it as a configuration file. In a failed attempt to parse,
gdomap will print an error message containing the full contents of the
provided file, allowing an unprivileged local user to read anything on disk.
This also occurs when gdomap is invoked with the -a (config file for interface
list) flag, which uses a separate (but nearly identical) code path.
This behavior can by confirmed by:
$ gdomap -c /etc/shadow
or,
$ gdomap -a /etc/shadow
The ability to read arbitrary files on disk can easily result in privilege
escalation (reading SSH keys, etc.). To mitigate the issue, permissions should
be dropped to that of the invoking user prior to attempting to open a provided
configuration file.
I've reported this bug downstream on Ubuntu's Launchpad, and their security
team suggested I file a report with you. Let me know if you need any more
information about this vulnerability.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?29755>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [bug #29755] gdomap information disclosure vulnerabilities,
Dan Rosenberg <=
- [bug #29755] gdomap information disclosure vulnerabilities, Fred Kiefer, 2010/05/03
- [bug #29755] gdomap information disclosure vulnerabilities, Richard Frith-Macdonald, 2010/05/03
- [bug #29755] gdomap information disclosure vulnerabilities, Fred Kiefer, 2010/05/05
- [bug #29755] gdomap information disclosure vulnerabilities, Richard Frith-Macdonald, 2010/05/05
- [bug #29755] gdomap information disclosure vulnerabilities, Richard Frith-Macdonald, 2010/05/05
- Re: [bug #29755] gdomap information disclosure vulnerabilities, Dan Rosenberg, 2010/05/05
- Re: [bug #29755] gdomap information disclosure vulnerabilities, Richard Frith-Macdonald, 2010/05/05
- Re: [bug #29755] gdomap information disclosure vulnerabilities, Dan Rosenberg, 2010/05/05
- Re: [bug #29755] gdomap information disclosure vulnerabilities, Richard Frith-Macdonald, 2010/05/06
Re: [bug #29755] gdomap information disclosure vulnerabilities, Dan Rosenberg, 2010/05/04