Re: apcupsd 3.7.2 Denial of Service

[Mattias Dartsch <matze () JOONIX DE>]

Hi,

the problem is a missing umask() in the main program code, this was fixed in
Version 3.8.0.

The fix in the advisory was thought as a temporary solution for people who
DON'T want to upgrade or recompile, they only have to alter the
/etc/rc.d/apcupsd script.

Setting a umask in a /etc/rc.d script can lead to strange side effects,
since this umask setting is used for the following script's too, that's
why i used chmod.

If you still want to use umask instead of chmod, you have to use a syntax
like this to avoid unwanted side effects:

---begin---

(umask 0077 ; $APCUPSD) || return=$rc_failed

---end---

(Thanks to Jukka A. Ukkonen)


greets,

Mattias Dartsch

matze () joonix de


----- Original Message -----
From: nash <nash () ROHAN SDSU EDU>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Tuesday, December 12, 2000 6:55 PM
Subject: Re: [BUGTRAQ] apcupsd 3.7.2 Denial of Service


> > Title:    apcupsd 3.7.2 Denial of Service
> >
> > Affected Application:    apcupsd daemon
> ...
> > Problem:
> >
> > During startup apcupsd creates a PID-file named "apcupsd.pid" in
/var/run
> > (system specific, maybe other directory) with the ID of the daemon
process,
> > this PID-file is used by the shutdown-script to kill the daemon process.
> >
> > Unfortunatly this PID-file ist world-writeable (Mode 666, -rw-rw-rw). A
> > malicious user can overwrite the file with arbitrary process ID's, these
> > processes will be killed instead of the apcupsd process during restart
or
> > stop of the apcupsd daemon and during system shutdown or restart, the
whole
> > system can be crashed this way.
> ...
> > User's who don't want to upgrade can add two lines to the "start"
section in
> > the apcupsd startup script in /etc/rc.d or /sbin/init.d :
>
> why not just add umask 022?
>
>
> ---begin---
>
>     start)
> umask 022
>         rm -f /etc/apcupsd/powerfail
>         rm -f /etc/nologin
>         echo -n "Starting apcupsd power management"
>         $APCUPSD || return=$rc_failed
>         echo -e "$return"
>     ;;
>
> ---end---
>
> -Ron
> >