AOH :: HP Unsorted L :: B1A-1079.HTM

Linux Mint 8 mintUpdate Insecure Temporary File Creation



Linux Mint 8 mintUpdate Insecure Temporary File Creation
Linux Mint 8 mintUpdate Insecure Temporary File Creation



=====================================================================Linux Mint 8 mintUpdate Insecure Temporary File Creation
=====================================================================
Author:          L4teral 
Impact:          Privilege Escalation
Status:          Update available


------------------------------
Affected software description:
------------------------------

Application:     mintUpdate (Linux Mint)
Version:         Linux Mint 8
Vendor: http://linuxmint.com 

Description:
Linux Mint's purpose is to produce an elegant, up to date and
comfortable GNU/Linux desktop distribution.


--------------
Vulnerability:
--------------

The Linux Mint update tool mintUpdate creates temporary files in the
/tmp/mintUpdate/ directory in an insecure way. This can be exploited
to overwrite restricted files via symlink attacks.


------------
PoC/Exploit:
------------

The symlinks must exist when the user clicks on the mintUpdate Icon.
After requesting root privileges via sudo, the update tool overwrites
the target file with log data. This could be exploited to destroy
crucial system files.


---------
Solution:
---------

Update to Linux Mint 9
or apply the following patch:
http://github.com/linuxmint/mintupdate/commit/301993906c694eb119cd9614817de57e7b0c874c 


---------
Timeline:
---------

2010-03-08 - vendor informed
2010-03-17 - vendor response, patched in source repository
2010-05-18 - Linux Mint 9 released, public disclosure

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.