Vigil@nce - automake: removing directory via dash
September 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can create a symbolic link named /tmp/ins-$$, in
order to force the deletion of a directory named "d", with
privileges of automake.
Impacted products: Unix (platform)
Severity: 1/4
Creation date: 12/09/2014
DESCRIPTION OF THE VULNERABILITY
The automake install-sh script detects if the "mkdir -p" command
works by using a temporary directory named /tmp/ins$RANDOM-$$.
However, on some shells such as dash, the $RANDOM variable does
not exists, so the directory name can be predicted
(/tmp/ins$RANDOM-$$). At the end of the script, the
"/tmp/ins-$$/d" directory is deleted.
If an attacker created a symbolic link from ins-$$ to another
directory, then the sub-directory named "d" is removed by automake
install-sh.
A local attacker can therefore create a symbolic link named
/tmp/ins-$$, in order to force the deletion of a directory named
"d", with privileges of automake.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/automake-removing-directory-via-dash-15347