oss-sec mailing list archives
Re: Re: Security risk of server side text editing ...
From: Scott Court <z5t1 () z5t1 com>
Date: Fri, 1 Dec 2017 09:57:19 -0500
This has been assigned CVE-2017-17087
2. Vim .swp file group (Doesn't have a CVE ID) This vulnerability was discovered by me. When Vim creates a .swp file, the .swp file is created with the owner and group set to the editor and editor's primary group respectively. The .swp file is the set to the same permissions as the original file (i.e. chmod 640). This creates a security vulnerability when the editor's primary group is not the same as the original file's group. For example, say the root user's primary group is "users", which every user is a member of. If root goes to edit /etc/shadow, the /etc/.shadow.swp file is created with permissions 640 and user:group set to root:users. The original /etc/shadow file had user:group set to root:shadow though; this now exposes the /etc/shadow file (which mind you contains hashes of every user's password) to every user on the system. Originally, I thought this was an extension of CVE-2017-1000382 so I didn't bother trying to get a CVE ID for it; however, upon looking at it for a second time, it seems that this is indeed a different vulnerability. It is possible to patch this vulnerability without patching CVE-2017-1000382.
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Security risk of server side text editing ... Bram Moolenaar (Nov 17)
- Re: Security risk of server side text editing ... Solar Designer (Nov 22)
- Re: Re: Security risk of server side text editing ... Kurt Seifried (Nov 22)
- Re: Re: Security risk of server side text editing ... Scott Court (Nov 27)
- Re: Security risk of server side text editing ... Solar Designer (Nov 27)
- Re: Security risk of server side text editing ... Bram Moolenaar (Nov 28)
- Re: Re: Security risk of server side text editing ... Simon McVittie (Nov 27)
- Re: Re: Security risk of server side text editing ... Bram Moolenaar (Nov 28)
- Re: Re: Security risk of server side text editing ... Leonid Isaev (Nov 28)
- Re: Re: Security risk of server side text editing ... Scott Court (Dec 01)
- Re: Re: Security risk of server side text editing ... Kurt Seifried (Nov 22)
- Re: Security risk of server side text editing ... Solar Designer (Nov 22)