On Thu, Jan 19, 2012 at 01:07:02AM +0100, srm wrote: > > morrn, > > > Impact > ====== > > Low > > > Summary > ======= > > When using usb_modeswitch and invoking pppd from wvdial in -detach mode. a > /tmp/debug > file is created. Local Attacker could overwrite arbitrary files. > > > Example > ======= > > ,file /tmp/debug > debug: broken symbolic link to `/etc/nologin' > > Insert stick and connect: > > ,su > Password: > ,sh connect >/dev/null > > ,file debug > debug: symbolic link to `/etc/nologin' > > ,cd /etc && cat nologin > symlink-name: /devices/pci0000:00/0000:00:1a.7/usb1/1-3/1-3:1.0/ttyUSB0/tty > > ,ls -l nologin > -rw-r--r-- 1 root root 84 Jan 19 01:11 nologin > > > Software > ======== > archlinux: community/usb_modeswitch 1.2.1-1c > archlinux: core/ppp 2.4.5-3 (base) > > > Please verify. YMMV. > > > Greetings > srm
So, the problem is definitive in the community package of archlinux. *sigh*. I checked version 1.2.2 from http://www.draisberghof.de/usb_modeswitch/#download It doesn't contain the '/tmp/debug' statement. However: The following version has the debug statement: https://www.archlinux.org/packages/community/i686/usb_modeswitch/ ,grep -n '/tmp/debug' usb_modeswitch.sh 66: echo "symlink-name: $2" >/tmp/debug A possible quick fix could be to append $$: 66: echo "symlink-name: $2" >/tmp/debug.$$ Greetings srm _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
