Bugtraq mailing list archives
Re: your mail
From: ariel () FIREBALL TAU AC IL (Ariel Biener)
Date: Sat, 26 Jul 1997 07:50:13 +0300
On Sat, 26 Jul 1997, Nicolas Dubee wrote:
plaguez security advisory n. 8 kerneld / request-route vulnerability Program: kerneld(1) , the kernel messages daemon handler request-route, a sample ppp connection script Version: all kerneld/request-route versions OS: Linux (tested on 2.0.30/Redhat 4.1 and Redhat 3.0.3) Problem: lock files, symlinks Impact: when kerneld/request-route are set up, any user can overwrite any file on the system. hello all, this week, we'll see a weird thing that should have been removed for years, but that has apparently survived in recent Linux versions. kerneld(1) is a daemon that "performs kernel action in user space" (see man page). request-route is a shell script that should launch pppd and allocate a network route 'on-the-fly' when kerneld receives a 'request-route' kernel message. It can also be configured to use other network interfaces. request-route uses a lockfile named /tmp/request-route where it writes its pid in. Unfortunatly, request-route does not check wether this lockfile already exists, will follow symlinks and will create new files mode 600... One can then create/write to any file on the affected system, regardless of permissions. An attacker would create a symlink from the /tmp/request-route file to any file on the system. He would then for example telnet to a host, resulting in a request-route kernel message. The /sbin/request-route would then be executed and would overwrite the file at the end of the symlink. Fix: ----
/sbin/request-route is a script. So, the script can be fixed to check for the lock file, or whatever other security check are needed. No need to just go and remove before finding a suitable solution. A simple solution would be to add a: set -o noclobber In the script, right here: sleep 60 & sleepid=$! ---> set -o noclobber echo $sleepid > $LOCK wait $sleepid Regards, --Ariel
rm -rf /sbin/request-route that's all for this week. See you later, -plaguez ------------------------ plaguez dube0866 () eurobretagne fr http://plaguez.innu.org/ ^^^^^^^^(soon) ------------------------
+---------------------------------------------------------+ | Ariel Biener | | e-mail: ariel () post tau ac il Work ph: 03-6406086 | +---------------------------------------------------------+
Current thread:
- Re: CPSR 7: IRIX WWW Server Thomas Walter (Jul 24)
- Re: CPSR 7: IRIX WWW Server Aaron Bornstein (Jul 24)
- Security hole in mgetty+sendfax Gert Doering (Jul 24)
- BIND Nuking Aveek Datta (Jul 24)
- Re: BIND Nuking Thomas H. Ptacek (Jul 29)
- ANNOUNCE: inn-1.5.1sec (fwd) Christopher Samuel (Jul 30)
- Re: Security hole in mgetty+sendfax Gert Doering (Jul 25)
- BIND Nuking Nicolas Dubee (Jul 25)
- Re: your mail Ariel Biener (Jul 25)
- Re: request-route Zoltan Hidvegi (Jul 28)
- Re: request-route Eric Bennett (Jul 29)
- Re: request-route John Macdonald (Jul 29)
- Re: request-route Kragen Sitaker (Jul 30)
- Re: request-route John Macdonald (Jul 31)
- perl fingerd stupidity Chris Terry (Jul 31)
- HP Security Bulletins Digest Aleph One (Jul 31)
- BIND Nuking Aveek Datta (Jul 24)
- Re: request-route Mihai SANDU (Jul 26)
- Netspace Singapore Privacy Bug Aleph One (Jul 26)
- Re: your mail Alan Cox (Jul 27)