Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <200811241634.08610.ludwig.nussel@suse.de>
Date: Mon, 24 Nov 2008 16:34:07 +0100
From: Ludwig Nussel <ludwig.nussel@...e.de>
To: cve@...re.org
Cc: oss-security@...ts.openwall.com
Subject: CVE Request: VirtualBox tmp file issue

Hi,

http://www.virtualbox.org/wiki/Changelog:
VirtualBox 2.0.6
- Linux/Solaris/Darwin hosts: verify permissions in /tmp/vbox-$USER-ipc

These changes match that description:
http://www.virtualbox.org/changeset?new=trunk%2Fsrc%2Flibs%2Fxpcom18a4%2Fipc%2Fipcd%2Fdaemon%2Fsrc%2FipcdUnix.cpp%4013810&old=trunk%2Fsrc%2Flibs%2Fxpcom18a4%2Fipc%2Fipcd%2Fdaemon%2Fsrc%2FipcdUnix.cpp%407049

VirtualBox uses /tmp/vbox-$USER-ipc to store a socket and a lock
file. The lock file is truncated after a simple open call. AFAICS
creating /tmp/vbox-$USER-ipc before the victim starts VirtualBox
could therefore be exploited to create files as the victim or
truncate files of the victim.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.