oss-sec mailing list archives
pscripts tmp vuln leading to possible code exec
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 11 Sep 2014 01:12:52 -0600
https://pypi.python.org/pypi/pscripts pscripts-0.1.160/pscripts/external_ip_address.py ########################################## # Settings #-------------- ip_cache_file = '/tmp/.current_external_ip' def save_ip_addy(new_ip, domain): ip_updates = shelve.open(ip_cache_file) ip_updates[domain] = new_ip log.debug("Caching IP address: {}, under domain: {}".format(new_ip, domain)) ip_updates.close def read_ip_addy(domain): ip_updates = shelve.open(ip_cache_file) if ip_updates: if not domain in ip_updates: return None else: ip = ip_updates[domain] log.debug("Cached IP address: {} retrieved for domain: {}".format(ip, domain)) return ip ################################# # ENTRY POINT def update_ddns_server(updater_urls="/etc/external_ip_updater/urls.yaml", update=True, manual_force_update=False): try: external_ip = get_ip() if external_ip == None: log.warn("Unable to determine external IP. This may be temporary or not. Verify this warning doesn't persist.") return log.debug("External IP address {}".format(str(external_ip))) ddns_urls = read_yaml_update_urls(updater_urls) for domain, update_url in ddns_urls.items(): log.debug("For domain: {}, the update url is: {}".format(domain,update_url)) prev_ext_ip = read_ip_addy(domain) changed = ip_addy_changed(external_ip, prev_ext_ip) if changed or manual_force_update or periodic_force_update(): log.debug("IP changed or forcing update.") if update or manual_force_update: log.info("Updating domain: {} with IP: {}".format(domain, external_ip)) touch_ddns_server(update_url) save_ip_addy(external_ip,domain) Then later on: def test_update_ip(): updater_urls = "/etc/external_ip_updater/urls.yaml" update_ddns_server(updater_urls, force_update=True) So it looks like you might be able to write to the cache and then do a man in the middle attack against the updater which I'm guessing == code exec. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- pscripts tmp vuln leading to possible code exec Kurt Seifried (Sep 11)