oss-sec mailing list archives
Re: [klibc] CVE request: klibc: ipconfig sh script with unescaped DHCP options
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Wed, 18 May 2011 16:13:05 -0400
Might it be worth fixing the insecure temporary file usage? 122 snprintf(fn, sizeof(fn), "/tmp/net-%s.conf", dev->name); 123 f = fopen(fn, "w"); What if someone else has already created that file, or put a symlink or hard link there? What if someone overwrites your string with command injection characters despite your stripping? -Dan On Wed, May 18, 2011 at 4:44 AM, maximilian attems <max () stro at> wrote:
Related to CVE-2011-0997 ipconfig vulnerability for malicious dhcpd if $DNSDOMAIN is later used unquoted, than proof of concept involves DNSDOMAIN="\\\"\$(echo owned; touch /tmp/owned)" fix: http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff will be part of the just to be released klibc-1.5.22 -- maks _______________________________________________ klibc mailing list klibc () zytor com http://www.zytor.com/mailman/listinfo/klibc
Current thread:
- [klibc] CVE request: klibc: ipconfig sh script with unescaped DHCP options maximilian attems (May 18)
- Re: [klibc] CVE request: klibc: ipconfig sh script with unescaped DHCP options Dan Rosenberg (May 18)
- Re: [klibc] [oss-security] CVE request: klibc: ipconfig sh script with unescaped DHCP options maximilian attems (May 18)
- Re: [klibc] CVE request: klibc: ipconfig sh script with unescaped DHCP options Josh Bressers (May 19)
- Re: [klibc] CVE request: klibc: ipconfig sh script with unescaped DHCP options Dan Rosenberg (May 18)