Bugtraq mailing list archives

Re: Xinetd /tmp race?

From: marc () SUSE DE (Marc Heuse)
Date: Fri, 13 Nov 1998 09:09:06 +0100

Hi,

If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but
this method isn't checked against /tmp, and it happily overwrites anything
in the place of that file.  The package has been released in 1997, IMHO this
is too old to have a bug of this kind hidden.


hmm you did inform the xinetd maintainer in the first place, right?

an update for Suse Linux distributions is available at ftp.suse.com.

BTW here's the patch:


your patch leaves xinted still vulnerable.
Here's the one we issued (which was also sent to the maintainer).
It's hard to secure a create-or-append open call, anyone with an
idea for a standard solution?
[This patch leave xinetd vulnerable if /tmp is not sticky, so it's
not 100% without changing the design or location of how the dump
should be done. But a system without a sticky /tmp is a problem anyway]

--- internals.c.orig    Wed Jan 24 20:32:46 1996
+++ internals.c Thu Nov 12 11:18:39 1998
@@ -8,6 +8,7 @@

 #include <sys/types.h>
 #include <sys/stat.h>
+#include <unistd.h>
 #ifdef linux
 #include <sys/time.h>
 #endif
@@ -54,9 +55,24 @@
        time_t current_time ;
        register int fd ;
        register unsigned u ;
+       struct stat stat ;
        char *func = "dump_internal_state" ;

-       dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_APPEND, DUMP_FILE_MODE ) ;
+       dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_EXCL, DUMP_FILE_MODE ) ;
+       if ( dump_fd == -1 )
+       {
+               if ( lstat( dump_file, &stat) != 0)
+               {
+                       msg( LOG_ERR, func, "failed to open %s: %m", dump_file ) ;
+                       return ;
+               }
+               if (stat.st_uid != getuid())
+               {
+                       msg( LOG_ERR, func, "security: I'm not owning %s: %m", dump_file ) ;
+                       return ;
+               }
+               dump_fd = open( dump_file, O_WRONLY + O_APPEND) ;
+       }
        if ( dump_fd == -1 )
        {
                msg( LOG_ERR, func, "failed to open %s: %m", dump_file ) ;



Greets,
        Marc
--
  Marc Heuse, S.u.S.E. GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
  E@mail: marc () suse de      Function: Security Support & Auditing
  issue a  "finger marc () suse de | pgp -fka" for my public pgp key

Current thread:

Xinetd /tmp race? Balazs Nagy (Nov 10)
- SCO World Script Vulnerabilities Ben Laurie (Nov 11)
  - Re: SCO World Script Vulnerabilities Joe (Nov 12)
- WARNING: Another ICQ IP address vulnerability Mnemonix (Nov 11)
- Citadel security exploits? Stout, Bill (Nov 11)
- Re: Xinetd /tmp race? Wayne Schroeder (Nov 11)
- Re: Xinetd /tmp race? Glynn Clements (Nov 11)
- <Possible follow-ups>
- Re: Xinetd /tmp race? Jesús Cea Avión (Nov 12)
- Re: Xinetd /tmp race? Glynn Clements (Nov 12)
  - Re: Xinetd /tmp race? Casper Dik (Nov 14)
- Re: Xinetd /tmp race? Marc Heuse (Nov 13)
  - Re: Xinetd /tmp race? Pavel Kankovsky (Nov 13)
- Re: Xinetd /tmp race? stanislav shalunov (Nov 13)
  - Re: Xinetd /tmp race? Kevin Vajk (Nov 14)