Bugtraq mailing list archives

Re: your mail

From: ariel () FIREBALL TAU AC IL (Ariel Biener)
Date: Sat, 26 Jul 1997 07:50:13 +0300


On Sat, 26 Jul 1997, Nicolas Dubee wrote:

                   plaguez security advisory n. 8

                kerneld / request-route vulnerability


Program:  kerneld(1) , the kernel messages daemon handler
          request-route, a sample ppp connection script

Version:  all kerneld/request-route versions

OS:       Linux (tested on 2.0.30/Redhat 4.1 and Redhat 3.0.3)

Problem:  lock files, symlinks

Impact:   when kerneld/request-route are set up,
          any user can overwrite any file on the system.



hello all,

this week, we'll see a weird thing that should have been
removed for years, but that has apparently survived in recent
Linux versions.

kerneld(1) is a daemon that "performs kernel action in user space"
(see man page).
request-route is a shell script that should launch pppd and
allocate a network route 'on-the-fly' when kerneld receives
a 'request-route' kernel message.
It can also be configured to use other network interfaces.

request-route uses a lockfile named /tmp/request-route
where it writes its pid in.
Unfortunatly, request-route does not check wether this
lockfile already exists, will follow symlinks and will
create new files mode 600...

One can then create/write to any file on the affected
system, regardless of permissions.

An attacker would create a symlink from the /tmp/request-route
file to any file on the system. He would then for example
telnet to a host, resulting in a request-route kernel
message. The /sbin/request-route would then be executed
and would overwrite the file at the end of the symlink.


Fix:
----


/sbin/request-route is a script. So, the script can be fixed to check for
the lock file, or whatever other security check are needed. No need to
just go and remove before finding a suitable solution.

 A simple solution would be to add a:

        set -o noclobber

In the script, right here:

        sleep 60 &
        sleepid=$!
--->    set -o noclobber
        echo $sleepid > $LOCK
        wait $sleepid

Regards,

--Ariel


    rm -rf /sbin/request-route




that's all for this week.

See you later,

-plaguez



------------------------
        plaguez
dube0866 () eurobretagne fr
http://plaguez.innu.org/
        ^^^^^^^^(soon)
------------------------


   +---------------------------------------------------------+
   | Ariel Biener                                            |
   | e-mail: ariel () post tau ac il        Work ph: 03-6406086 |
   +---------------------------------------------------------+

Current thread:

Re: CPSR 7: IRIX WWW Server Thomas Walter (Jul 24)
- Re: CPSR 7: IRIX WWW Server Aaron Bornstein (Jul 24)
- Security hole in mgetty+sendfax Gert Doering (Jul 24)
  - BIND Nuking Aveek Datta (Jul 24)
    - Re: BIND Nuking Thomas H. Ptacek (Jul 29)
    - ANNOUNCE: inn-1.5.1sec (fwd) Christopher Samuel (Jul 30)
  - Re: Security hole in mgetty+sendfax Gert Doering (Jul 25)
  - BIND Nuking Nicolas Dubee (Jul 25)
    - Re: your mail Ariel Biener (Jul 25)
    - Re: request-route Zoltan Hidvegi (Jul 28)
    - Re: request-route Eric Bennett (Jul 29)
    - Re: request-route John Macdonald (Jul 29)
    - Re: request-route Kragen Sitaker (Jul 30)
    - Re: request-route John Macdonald (Jul 31)
    - perl fingerd stupidity Chris Terry (Jul 31)
    - HP Security Bulletins Digest Aleph One (Jul 31)
    - Re: request-route Mihai SANDU (Jul 26)
    - Netspace Singapore Privacy Bug Aleph One (Jul 26)
    - Re: your mail Alan Cox (Jul 27)

(Thread continues...)