Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Race condition in BRU Workstation 17.0

From: prophecy () prophecy net nz
Date: Sat, 14 Sep 2002 10:20:03 +1200 (NZST)

Thanks to Peter Watkins for the suggested fix.

Also, TolisGroup have responded with confirmation of an update for the first reported race 
condition (http://online.securityfocus.com/bid/3970), and an ETA on a new update for this one just discovered.

Cheers,
prophecy () prophecy net nz



On Fri, 13 Sep 2002, support () tolisgroup com wrote:


The /tmp file exploit in the previous setlicense was fixed the day after 
it was mentioned and posted.  All new version of the setlicense program (since 
BRU 17.0.0.0.5) no longer require any /tmp file access.

As for this one, we are working on a new release of XBRU that will 
resolve it. ETA Late September.

Tim Jones




On Fri, 13 Sep 2002, Peter Watkins wrote:


Isn't xbru still a Tcl script? It should not be too hard to locate 
references to /tmp/ and fix the problem. I've got an older copy of 
BRU on my system & it has a similar problem, but not exactly the same.
Anyhow, a general fix would be 1) putting the following code at the 
beginning of the Tcl script that xbru uses (on my system, that's xbru.tcl)
and 2) replacing each instance of the string "/tmp" (without quotations)
with the string "[brufixGetTmpdir]" (without quotations). As a variant of 
step 1), you could save this as /usr/local/lib/brufix-tmpdir.tcl or 
something and modify xbru to add 
  source /usr/local/lib/brufix-tmpdir.tcl
near the beginning of the script, to make the changes cleaner.

-Peter


# brufix-tmpdir.tcl
# Tcl code to make a safe temporary directory for BRU Tcl/Tk scripts
# Peter Watkins, 2002 - sample code, no guarantees
#
proc brufixSetTmpdir {} {
  # make the safe temp dir & store its name in a global var
  # or exit if errors; respect $TMPDIR if set
  global env
  global brufixTmpdir
  set brufixBaseTmpdir {/tmp}
  catch {set brufixBaseTmpdir $env(TMPDIR)}
  if {([file isdirectory $brufixBaseTmpdir] == 0) || ([file exists $brufixBaseTmpdir] == 0)} {
    puts stderr "temporary directory $brufixBaseTmpdir does not exist!"
    exit 1
  }
  set brufixTmpdir "$brufixBaseTmpdir/bru-[clock clicks]"
  if {[catch {file mkdir $brufixTmpdir}] != 0} {
    puts stderr "error creating temporary directory $brufixTmpdir !"
    exit 1
  }
  if {[catch {exec /bin/chmod 0700 $brufixTmpdir}] != 0} {
    puts stderr "error setting perms on temporary directory $brufixTmpdir !"
    exit 1
  }
}
proc brufixGetTmpdir {} {
  # return the safe temp directory name
  global brufixTmpdir
  if {([info exists brufixTmpdir] == 0) || ([string length $brufixTmpdir] == 0)} {
    puts stderr "need to call brufixSetTmpdir before brufixGetTmpdir!"
    exit 2
  }
  if {([file isdirectory $brufixTmpdir] == 0) || ([file exists $brufixTmpdir] == 0)} {
    puts stderr "BRU temporary directory $brufixTmpdir does not exist!"
    exit 3
  }
  return $brufixTmpdir
}
# early in the execution: make sure we have a good directory
# this should only be called once!
brufixSetTmpdir

On Fri, Sep 13, 2002 at 12:08:16PM +1200, prophecy () prophecy net nz wrote:


Problem:



Fix:
  - No response from vendor: (support () tolisgroup com)



Strace Snippet:

[pid 32159] execve("/bin/dd", ["dd", "if=/dev/nst0", 
"of=/tmp/xbru_dscheck.dd", "bs=32k", "count=1"], [/* 38 vars */]) = 0
[pid 32159] open("/tmp/xbru_dscheck.dd", 
O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 1
Previous By Date Next
Previous By Thread Next

Current thread: