[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Vulnerability in libtool 1.5
From: |
Stefan Nordhausen |
Subject: |
Vulnerability in libtool 1.5 |
Date: |
Fri, 2 Jan 2004 23:13:51 +0100 |
User-agent: |
KMail/1.5.1 |
Hi!
In ltmain.in, libtool insecurely creates a temporary directory which can be
exploited by an attacker to overwrite/create/delete files with the privileges
of the user running ltmain.in.
In "ltmain.in" line 5570 you use the following code to create a temporary
directory:
tmpdir="/tmp"
test -n "$TMPDIR" && tmpdir="$TMPDIR"
tmpdir="$tmpdir/libtool-$$"
if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
else
$echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
continue
fi
The insecure part is "$mkdir -p "$tmpdir". The -p option tells mkdir to report
success even if $tmpdir already existed. This allows an attacker to sneak in
a symlink.
Possible exploit: Create a few thousand symlinks numbered /tmp/libtool-1 to
/tmp/libtool-50000 that point to /home/foobar (if user foobar will be running
ltmain.in). Then, line 5587 of ltmain.in which reads
${rm}r "$tmpdir"
will be translated into
rm -r "/home/foobar"
which will probably be a very unpleasant experience for Mr. foobar. I haven't
tried this out (duh), but I think you get the point: this one can be really
nasty.
Solution: Simply remove the -p option and mkdir will do its job securely.
Regards
Stefan Nordhausen
- Vulnerability in libtool 1.5,
Stefan Nordhausen <=