Re: AIX/Gradient iFOR/LS bug: follows symlinks

[troy () AUSTIN IBM COM (Troy A. Bollinger)]

--VuxX8awAiJ7fD5gx
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Quoting Joerg Schumacher (schuma () gaertner de):
> AIX 4.1 includes the iFOR/LS (formerly known as NetLS) license server=20
> from Gradient Technologies.  Some parts of this system (NCS, server and=
=20
> client libs) use a cache file (/tmp/last_uuid, mode 0666), which will be=
=20
> created on the fly if missing.  The code has the classical file open bug:=
=20
> it will happily follow any symlink.
> =20
> I guess IBM and Gradient had their chance to fix this bug, since I
> reported it back in december 1996 (no typo, more than a year ago).=20
> IIRC, HP-UX had (and may still have) this bug too.
> =20
20
Yes, we've had more than ample time to fix this and I personally thank
you for the patience you've shown.  Unfortunately, it's difficult to
fix the bugs when you don't own the source code (I guess bugtraq
readers already know that ;-).  For those keeping score this is PMR
1540x,025,724.

A simple workaround for this is to remove and recreate /tmp/last_uuid
in /sbin/rc.boot.  This will limit the attack to filling the /tmp
partition.

> Some complaints: =20
> =20
>    to IBM: I guess it's time to review the APAR process wrt security. =20
>            Having a security related bug hanging around for more than a=
=20
>          year at low priority is definitely a bad thing.
> =20

Hopefully, this case will be an exception.  I'd like to think that the
process has improved significantly (e.g. the recent routed bug posted
to bugtraq had a pretty fast followup).

>    to IBM-ERS: I've submitted a Cc of my original bug report to=20
>              ers-tech () vnet ibm com but I never got any feedback.
>              Granted, you don't want to us to send any reports via
>              email, but this "small planet" isn't small enough to let me
>              call you via phone for free.
>   =20
>    to DFN-CERT: Where have you been?  No tracking seen despite my Cc.
>              =20

IIRC, IBM-ERS and DFN-CERT harassed me about this several times...   ;-)

> Thanks to Troy Bollinger (troy () austin ibm com) for pointing out some =20
> other insecurely created temporary files.=20

I also pointed out how to fix them didn't I?   :-)

I'll update the list I sent you and post it here.  Most of the
world-writable files (with the exception of /tmp/last_uuid) have been
fixed.  I'd appreciate hearing about any I missed.

> =20
> Regards,
> Joerg=20
20
Thanks.
--=20
Troy Bollinger                            troy () austin ibm com
AIX Security Development        security-alert () austin ibm com
PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy

--VuxX8awAiJ7fD5gx
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
MessageID: SJbfkmWBkesktWXBo2FkQv9otPr1lElL

iQCVAwUBNN+Tw8jqvEm3eDEpAQE8bgQAwVi5z8Tm5i3WDV2rKAqY+fm9OvSjplo7
XJSJFjdG6myZA+5NdcZcg/T53LXeU60ykY3mVicQUxG6oPe0Ev7WDsZLo5pb/pqE
LsYMk8udAnvIfVMzzSS/Qp1DppVtz8q85uvnDQtEdwEO8Jwp6RO7j2hAvu5ABE02
pccwS+WXnq8=
=i3Iy
-----END PGP SIGNATURE-----

--VuxX8awAiJ7fD5gx--