Bugtraq mailing list archives
Re: Xinetd /tmp race?
From: fileland () SOUND NET (Wayne Schroeder)
Date: Wed, 11 Nov 1998 13:40:29 -0600
My xinetd (2.2.1-5) from debian hamm does this.. but if you will notice HUP is NOT used anywhere like inetd does. HUP is used only to cause it to dump info.. as documented. Sig 10 is reload. YES it IS a race... but the dump file can easily be changed to something else in the source config. Wayne On Wed, Nov 11, 1998 at 03:28:03AM +0100, Balazs Nagy wrote:
Hiyas, If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but this method isn't checked against /tmp, and it happily overwrites anything in the place of that file. The package has been released in 1997, IMHO this is too old to have a bug of this kind hidden. BTW here's the patch: diff -ruN xinetd-2.2.1.orig/xinetd/internals.c xinetd-2.2.1/xinetd/internals.c --- xinetd-2.2.1.orig/xinetd/internals.c Sun Nov 8 13:28:00 1998 +++ xinetd-2.2.1/xinetd/internals.c Sun Nov 8 13:27:33 1998 @@ -55,7 +55,14 @@ register int fd ; register unsigned u ; char *func = "dump_internal_state" ; + struct stat sb; + if (!(stat(dump_file, &sb)==-1&&errno==ENOENT)&&(!S_ISREG(sb.st_mode)||sb.st_nlink>1)) + { + msg( LOG_ERR, func, "failed to open %s: maybe a vulnerable link", dump_file ) ; + return ; + } + dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_APPEND, DUMP_FILE_MODE ) ; if ( dump_fd == -1 ) { -- Linux Supporting Center -- Red Hat Qmail packages -- http://lsc.kva.hu PGP 0x1DE3631D / A8 B4 92 EE 1F 55 27 C8 86 64 9C 42 41 A4 BD B8
-- [ Razathorn <fileland () sound net> ] [ PGP public key http://www.sound.net/~fileland/pubkey.shtml ] [ Finger Print: B8 9B 4B F5 67 1C A3 86 2F 91 F2 81 08 08 79 49 ]
Current thread:
- Xinetd /tmp race? Balazs Nagy (Nov 10)
- SCO World Script Vulnerabilities Ben Laurie (Nov 11)
- Re: SCO World Script Vulnerabilities Joe (Nov 12)
- WARNING: Another ICQ IP address vulnerability Mnemonix (Nov 11)
- Citadel security exploits? Stout, Bill (Nov 11)
- Re: Xinetd /tmp race? Wayne Schroeder (Nov 11)
- Re: Xinetd /tmp race? Glynn Clements (Nov 11)
- <Possible follow-ups>
- Re: Xinetd /tmp race? Jesús Cea Avión (Nov 12)
- Re: Xinetd /tmp race? Glynn Clements (Nov 12)
- Re: Xinetd /tmp race? Casper Dik (Nov 14)
- Re: Xinetd /tmp race? Marc Heuse (Nov 13)
- Re: Xinetd /tmp race? Pavel Kankovsky (Nov 13)
- Re: Xinetd /tmp race? stanislav shalunov (Nov 13)
- Re: Xinetd /tmp race? Kevin Vajk (Nov 14)
- SCO World Script Vulnerabilities Ben Laurie (Nov 11)