Bugtraq mailing list archives
Re: AIX/Gradient iFOR/LS bug: follows symlinks
From: troy () AUSTIN IBM COM (Troy A. Bollinger)
Date: Mon, 9 Feb 1998 17:39:51 -0600
--VuxX8awAiJ7fD5gx Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Quoting Joerg Schumacher (schuma () gaertner de):
AIX 4.1 includes the iFOR/LS (formerly known as NetLS) license server=20 from Gradient Technologies. Some parts of this system (NCS, server and=
=20
client libs) use a cache file (/tmp/last_uuid, mode 0666), which will be=
=20
created on the fly if missing. The code has the classical file open bug:=
=20
it will happily follow any symlink. =20 I guess IBM and Gradient had their chance to fix this bug, since I reported it back in december 1996 (no typo, more than a year ago).=20 IIRC, HP-UX had (and may still have) this bug too. =20
20 Yes, we've had more than ample time to fix this and I personally thank you for the patience you've shown. Unfortunately, it's difficult to fix the bugs when you don't own the source code (I guess bugtraq readers already know that ;-). For those keeping score this is PMR 1540x,025,724. A simple workaround for this is to remove and recreate /tmp/last_uuid in /sbin/rc.boot. This will limit the attack to filling the /tmp partition.
Some complaints: =20 =20 to IBM: I guess it's time to review the APAR process wrt security. =20 Having a security related bug hanging around for more than a=
=20
year at low priority is definitely a bad thing. =20
Hopefully, this case will be an exception. I'd like to think that the process has improved significantly (e.g. the recent routed bug posted to bugtraq had a pretty fast followup).
to IBM-ERS: I've submitted a Cc of my original bug report to=20 ers-tech () vnet ibm com but I never got any feedback. Granted, you don't want to us to send any reports via email, but this "small planet" isn't small enough to let me call you via phone for free. =20 to DFN-CERT: Where have you been? No tracking seen despite my Cc. =20
IIRC, IBM-ERS and DFN-CERT harassed me about this several times... ;-)
Thanks to Troy Bollinger (troy () austin ibm com) for pointing out some =20 other insecurely created temporary files.=20
I also pointed out how to fix them didn't I? :-) I'll update the list I sent you and post it here. Most of the world-writable files (with the exception of /tmp/last_uuid) have been fixed. I'd appreciate hearing about any I missed.
=20 Regards, Joerg=20
20 Thanks. --=20 Troy Bollinger troy () austin ibm com AIX Security Development security-alert () austin ibm com PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy --VuxX8awAiJ7fD5gx Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 MessageID: SJbfkmWBkesktWXBo2FkQv9otPr1lElL iQCVAwUBNN+Tw8jqvEm3eDEpAQE8bgQAwVi5z8Tm5i3WDV2rKAqY+fm9OvSjplo7 XJSJFjdG6myZA+5NdcZcg/T53LXeU60ykY3mVicQUxG6oPe0Ev7WDsZLo5pb/pqE LsYMk8udAnvIfVMzzSS/Qp1DppVtz8q85uvnDQtEdwEO8Jwp6RO7j2hAvu5ABE02 pccwS+WXnq8= =i3Iy -----END PGP SIGNATURE----- --VuxX8awAiJ7fD5gx--
Current thread:
- Re: CERT Advisory CA-98.04 - NT.WebServers, (continued)
- Re: CERT Advisory CA-98.04 - NT.WebServers David LeBlanc (Feb 06)
- serious security hole in KDE Beta 3 Tudor Bosman (Feb 06)
- Re: Another ld-linux.so problem joost witteveen (Feb 07)
- Re: Another ld-linux.so problem Solar Designer (Feb 07)
- Re: Another ld-linux.so problem carson () tla org (Feb 07)
- Re: Another ld-linux.so problem Aleph One (Feb 08)
- www-sql cgi prog overrides .htaccess restrictions. Mr LEROY christophe (Feb 09)
- Re: www-sql cgi prog overrides .htaccess restrictions. Stunt Pope (Feb 09)
- SNI-24: IDS Vulnerabilities Secure Networks Inc. (Feb 09)
- AIX/Gradient iFOR/LS bug: follows symlinks Joerg Schumacher (Feb 09)
- Re: AIX/Gradient iFOR/LS bug: follows symlinks Troy A. Bollinger (Feb 09)
- CFP - Recent Advances in Intrusion Detection (RAID'98) Marc Dacier (Feb 10)
- IBM-ERS Security Vulnerability Alert: IBM AIX: Insecure temporary ibm-ers () ERS IBM COM (Feb 10)
- Re: Another ld-linux.so problem Roman Drahtmueller (Feb 08)
- ld confusion Aleph One (Feb 10)
- Re: ld confusion Cristian Gafton (Feb 11)
- Sun Security Bulletin #00162 Howie (Feb 10)
- SMB redirect program for NT Weld Pond (Feb 10)
- Re: SMB redirect program for NT David LeBlanc (Feb 10)
- WIngate: the sequel Alans other account (Feb 10)
- [Workaround]The third SunOS4.1.4 tmpfs bug YAMAMORI Takenori (Feb 10)