Tuesday, November 09, 2004

OpenSSL, Groff: Insecure tempfile handling Venurability

OpenSSL is a part of every Sysad's life.

Here is a venurability that Gentoo Linux has published in case you use the Groff util.

groffer, included in the Groff package, and the der_chop script, included in the OpenSSL package, are both vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility.

OpenSSL is a toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols as well as a general-purpose cryptography library. It includes the der_chop script, which is used to convert DER-encoded certificates to PEM format. Groff (GNU Troff) is a typesetting package which reads plain text mixed with formatting commands and produces formatted output. It includes groffer, a command used to display groff files and man pages on X and tty.

Groffer and der_chop script creat files in world writable dir with predictable names.

So if u are a *root* user the attacker could create symlinks and modify files with your permissions.

Gentoo advices to upgrade the Groffer package and OpenSSL package

Upgrade Gropher

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/groff-1.19.1-r2"

Upgrade OpenSSL

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.7d-r2"

The venurability listing can be found here.


Post a Comment

<< Home