Info

Disclosure

Jan 11, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

The Easy Editor (ee) on FreeBSD contains a flaw that may allow a malicious local user to overwrite arbitrary files on the system. The issue is due to the program evoking the ispell_op function, which creates temporary files insecurely under ee. It is possible for a user to use a symlink style attack to manipulate arbitrary files with the privileges of the user running ee, resulting in a loss of integrity.

Classification

Location: Local Access Required
Attack Type: Race Condition
Impact: Loss of Integrity
Disclosure: OSVDB Verified

Solution

Upgrade to version to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_0, RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date, as it has been reported to fix this vulnerability. In addition, FreeBSD has released a patch to address this vulnerability. It is also possible to correct the flaw by implementing the following workaround: instead of invoking ispell through ee, invoke it directly.

Products

FreeBSD Project	FreeBSD	2.1
		2.1.5
		2.1.6
		2.1.7
		2.2
		2.2.1
		2.2.2
		2.2.5
		2.2.6
		2.2.7
		2.2.8
		3.0
		3.1
		3.2
		3.3
		3.4
		3.5
		4.0
		4.1
		4.1.1
		4.2
		4.3
		4.4
		4.5
		4.6
		4.6.2
		4.7
		4.8
		4.9
		4.10
		4.11
		5.0
		5.1
		5.2
		5.2.1
		5.3
		5.4
		6.0
		6.0-RELEASE

References

Security Tracker: 1015469
Secunia Advisory ID: 18404
SCIP VulDB ID: 1969
CVE ID: 2006-0055 (see also: NVD)
Vendor Specific Advisory URL: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:02.ee.asc
Vendor Specific Solution URL: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:02/ee.patch.asc
Vendor URL: http://www.freebsd.org

Credit

Christian S.J. Peron -

Direct URL: http://osvdb.org/22320

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

FreeBSD Project

FreeBSD

References

Credit