Info

Disclosure

Jul 05, 2005

Discovery

May 27, 2005

Dates

Exploit

Jul 05, 2005

Solution

Unknown

Description

Eksperymentalny Klient Gadu-Gadu (EKG) contains a flaw that may allow a malicious local user to overwrite or create arbitrary files on the system. The issue is due to the czyjest and handle_keypress() functions in the contrib/scripts/linki.py script creating temporary files insecurely. It is possible for a user to use a symlink style attack from a critical EKG file to the /tmp/rmrmg_ekg_url file. When EKG is run, the temporary symlink file is activated with the privileges of the user running EKG, resulting in a loss of integrity.

Classification

Location: Local Access Required
Attack Type: Race Condition
Impact: Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Eksperymentalny Klient Gadu-Gadu

ekg

20050605

References

Security Tracker: 1014382
Bugtraq ID: 14146
Secunia Advisory ID: 15889 16120 16363 16413
CVE ID: 2005-1916 (see also: NVD)
ISS X-Force ID: 21257
FrSIRT Advisory: ADV-2005-0963
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0369.html
http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0076.html
Vendor Specific News/Changelog Entry: http://bugs.gentoo.org/show_bug.cgi?id=94172
Vendor URL: http://dev.null.pl/ekg/
Packet Storm: http://packetstormsecurity.org/0507-advisories/ekg.insecure.txt
Other Advisory URL: http://www.debian.org/security/2005/dsa-760
http://www.debian.org/security/2005/dsa-773
http://www.securiteam.com/unixfocus/5EP041PGAA.html
http://www.ubuntulinux.org/support/documentation/usn/usn-162-1
http://www.zataz.net/adviso/ekg-06062005.txt

Credit

Eric Romang - eromangzataz.net - ZATAZ Audit

Direct URL: http://osvdb.org/36218