oss-sec mailing list archives

pscripts tmp vuln leading to possible code exec

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 11 Sep 2014 01:12:52 -0600

https://pypi.python.org/pypi/pscripts
pscripts-0.1.160/pscripts/external_ip_address.py


##########################################
# Settings
#--------------
ip_cache_file = '/tmp/.current_external_ip'


def save_ip_addy(new_ip, domain):
    ip_updates = shelve.open(ip_cache_file)
    ip_updates[domain] = new_ip
    log.debug("Caching IP address: {}, under domain: {}".format(new_ip,
domain))
    ip_updates.close

def read_ip_addy(domain):
    ip_updates = shelve.open(ip_cache_file)
    if ip_updates:
        if not domain in ip_updates:
            return None
        else:
            ip = ip_updates[domain]
            log.debug("Cached IP address: {} retrieved for domain:
{}".format(ip, domain))
            return ip

                        
#################################
# ENTRY POINT
def
update_ddns_server(updater_urls="/etc/external_ip_updater/urls.yaml",
update=True, manual_force_update=False):
    try:
        external_ip = get_ip()
        if external_ip == None:
            log.warn("Unable to determine external IP.  This may be
temporary or not.  Verify this warning doesn't persist.")
            return
        log.debug("External IP address {}".format(str(external_ip)))
        ddns_urls = read_yaml_update_urls(updater_urls)
        for domain, update_url in ddns_urls.items():
            log.debug("For domain: {}, the update url is:
{}".format(domain,update_url))
            prev_ext_ip = read_ip_addy(domain)
            changed = ip_addy_changed(external_ip, prev_ext_ip)
            if changed or manual_force_update or periodic_force_update():
                log.debug("IP changed or forcing update.")
                if update or manual_force_update:
                    log.info("Updating domain: {} with IP:
{}".format(domain, external_ip))
                    touch_ddns_server(update_url)
                    save_ip_addy(external_ip,domain)

Then later on:
                                        
def test_update_ip():
    updater_urls = "/etc/external_ip_updater/urls.yaml"
    update_ddns_server(updater_urls, force_update=True)

So it looks like you might be able to write to the cache and then do a
man in the middle attack against the updater which I'm guessing == code
exec.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

pscripts tmp vuln leading to possible code exec Kurt Seifried (Sep 11)