HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #85
From team h4ck!nb3rg
New advisory by : churchy
Affected service(s): ultrashare
Severity [lmh] : low
Keep it up teams, 2.5 more hours to go :)
===== Problem =====
In the file "test.rb" there is a vulnerability in the routine of the creation of random files:
filename = "#{rand(10000000)}.tmp"
File.open("/tmp/"+filename, "w") do |f|
f.puts Time.now
The routine creates a random file and writes in it without checking whether the file already exists. Therefore previously generated files are overwritten. An attacker that has access to the system and can write to /tmp (which are very low priviledges and
early every user can do that) can generate the 100000000 files in advance as symlinks pointing to files the webserver has access to. Therefore the webserver will overwrite the according file when executing the routine above (any may therefore destroy impo
tant system files).
===== Impact =====
As described above, having shell access with very short priviledges can lead to overwriting files the user normally does not have access to.
===== Fix =====
In the file test.rb check first whether the file already exists. If it does, safely exit before "something bad" happens :) Like this:
if File.exists?(filename)
Process.exit
end
Rating
[2] Thats nice.