-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation vulnerability Revision 1.2 Date Published: 2004-11-22 (KST) Last Update: 2004-11-22 Disclosed by SSR Team (advisory@stgsecurity.com) Summary ======== cscope is an interactive, screen-oriented tool that allows users to browse through C source files for specified elements of code. It is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the right of the user running them, which could be root. Vulnerability Class =================== Design error: insecure temp file handling Details ======= cscope was not designed to handle temp file securely. main.c 332 line /* create the temporary file names */ pid = getpid(); (void) sprintf(temp1, "%s/cscope%d.1", tmpdir, pid); (void) sprintf(temp2, "%s/cscope%d.2", tmpdir, pid); temporary files created with predictable names. /tmp/cscope[pid].1 /tmp/cscope[pid].2 If temp1, temp2 are assigned once, they aren't changed until cscope is terminated. Because cscope uses temp1, temp2 values repeatedly whenever user searches specified element of code, it's trivial to guess the names of temp files. Impact ====== Medium: System file corruption. Workaround ========== Do *NOT* run cscope as the right of root. rexolab's patch isn't the correct patch to this problem. cscope is made with C language, not PHP language, fopen() doesn't support mode 'x' in C library. Affected Products ================ cscope 15.5 and prior Vendor Status: NOT FIXED ======================= 2003-04-03 Vulnerability found by Jeremy Bae(aka opt, *^^*) (http://xsdeny.net/kweblog/stories.php?story=03/04/03/9181080) 2004-11-08 cscope developer notified. 2004-11-17 rexolab released the advisory irresponsibly and incorrectly. 2004-11-22 Official release. Credits ====== Jeremy Bae at STG Security -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBQaP3zD9dVHd/hpsuEQLOGACguBVlVe9myH978BHK+obHw6oPu1EAoOrH NrR86vgntUyQNJ7MacySBuBw =qDsj -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html