Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:5754
HistoryFeb 11, 2004 - 12:00 a.m.

Microsoft Virtual PC Services Insecure Temporary File Creation

2004-02-1100:00:00
vulners.com
14
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                            @stake, Inc.
                          www.atstake.com

                         Security Advisory

Advisory Name: Virtual PC Services Insecure Temporary File Creation
Release Date: 02/10/2004
Application: Connectix Virtual PC 6.0.x
Microsoft Virtual PC 6.1
Platform: Mac OS X
Severity: Local privilege escalation
Author: George Gal <[email protected]>
Vendor Status: Vendor has updated version of the software
CVE Candidate: CAN-2004-0115
Reference: www.atstake.com/research/advisories/2004/a021004-1.txt

Overview:

Virtual PC is a popular x86 virtual machine emulator capable running
several guest operating systems under the Mac OS X and Windows
platforms. Virtual PC provides a set of services for managing network
sharing capabilities under Mac OS X. These services are spawned from
the setuid root binary, VirtualPC_Services, which creats several
temporary files when it is executed. The VirtualPC_Services does not
check for several unsafe conditions prior to creation of these
temporary files. As a result an attacker with interactive login
access to the system may leverage insecure temporary files to become
root or overwrite critical system files.

Details:

@stake has identified a vulnerability within the setuid root binary,
VirtualPC_Services, due to its inability to check for dangerous
conditions prior to temporary file creation. This vulnerability
allows an attacker to truncate and overwrite arbitrary files in
addition to creation of arbitrary files with insecure file
permissions.

Using this vulnerability it is feasible for an attacker to gain root
privileges on the system. The VirtualPC_Services binary creates a
log file upon startup as /tmp/VPCServices_Log. An attacker may
create a symbolic link in the /tmp/ directory as VPCServices_Log
pointing to an arbitrary file to be overwritten when the
VirtualPC_Services binary is executed. However, when the symbolic
link points to a non-existent file a new file is created with file
permissions determined by the unprivileged user's umask(2) settings.

Vendor Response:

Microsoft has an updated version of the software available.

Download information available at:

http://www.microsoft.com/technet/security/bulletin/MS04-005.asp

Recommendation:

If possible install the updated version of Virtual PC.

Do not install Virtual PC on a multi-user machine. If this is a
requirement, only allow users with in a particular group to access
Virtual PC.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2004-0115

@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2004 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQCkrWke9kNIfAm4yEQJr3gCgzh/grlYI0dPRnvOmCYIYXPtTKTEAniMG
FMuE/Uyj9h/1q8+peD80BmPq
=W/J8
-----END PGP SIGNATURE-----

Related

securityvulns 1
cert 1
cve 1
securityvulns
securityvulns
Microsoft Security Bulletin MS04-005
2004-02-11 00:00:00
cert
cert
Microsoft Virtual PC for Mac insecurely handles temporary file
2004-02-24 00:00:00
cve
cve
CVE-2004-0115
2004-03-03 05:00:00
JSON
Related for SECURITYVULNS:DOC:5754
securityvulns1cert1cve1