Example Sins

Previous page
Table of content
Next page

The following entries in Common Vulnerabilities and Exposures (CVE) at http:// cve.mitre.org are examples of these sins.

CAN-2005-0004

The mysqlaccess script included with numerous versions of MySQL allows local users to overwrite arbitrary files or read temporary files via a symlink attack on temporary files. Part of the problem is the code used POSIX::tmpnam to return a temporary and predictable filename! So the attacker could create a symlink of the same name to a sensitive file, and when a privileged user runs the script, the code overwrites the file pointed to by the symlink .

There is a code diff at http://lists.mysql.com/internals/20600; the fix is to use file handles, not filenames, and to use File::Temp rather than POSIX::tmpnam.

CAN-2005-0799

This is another MySQL bug, but in this case it only affects Windows users. The vulnerability is caused due to an error in the handling of reserved MS-DOS device names . This can be exploited to cause a crash by changing to a database with a specially crafted name. Its low risk, but a privileged user could crash the server by issuing a command like: 

 use PRN

This would open the default printer port, and not a real filename.

CAN-2004-0452 and CAN-2004-0448

These two bugs are both race conditions in the way Perls File::Path::rmtree works. They can both be exploited by replacing an existing subdirectory in the directory tree with a symbolic link to an arbitrary file. The fix is fairly extensive , requiring almost a complete rewrite of the rmtree function. You can see the code diff at http://ftp.debian.org/debian/pool/main/p/perl/perl_5.8.4-8.diff.gz.

CVE-2004-0115 Microsoft Virtual PC for the Macintosh

The VirtualPC_Services process in Microsoft Virtual PC for Mac 6.0 through 6.1 allowed local attackers to truncate and overwrite arbitrary files, and potentially execute arbitrary code via a symlink attack on the /tmp/VPCServices_Log temporary file. The code blindly opens a temporary file named /tmp/VPCServices_Log, regardless of whether the file is real or a symlink. If this symlink points to another file, that file is clobbered. Imagine the fun if it pointed to /mach_kernel!


Previous page
Table of content
Next page
19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Qshell for iSeries
FileMaker Pro 8: The Missing Manual
C++ GUI Programming with Qt 3
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy