oss-sec mailing list archives

CVE-Request - pen issues

From: Steve Kemp <steve () steve org uk>
Date: Wed, 12 Mar 2014 20:47:48 +0000

  There are some minor issues reported in the pen-load-balancer,
 which could use CVE Identifiers:

        https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741370

  1.  Insecure use of temporary files when requesting
     websteats:

        } else if (!strcmp(p, "status")) {
                p = webfile;
                webfile = "/tmp/webfile.html";
                webstats();
        ...


   2.  Insecure use of temporary files when invoking
      the penctl command in the supplied CGI script:

PENCTL=penctl
...
        $PENCTL $SERVER:$PORT status 2> /tmp/penctl.cgi
..


    3.  When a control-socket is configured (via "-C ip:port" added
       to the pen command line) a user who can connect to that port
       can overwrite arbitrary files as the user pen is launched as:

shelob ~ $ sudo pen 4444 localhost:9000 -C 127.0.0.1:5043
shelob ~ $ penctl 127.0.0.1:5043 write /tmp/meow
shelob ~ $ penctl 127.0.0.1:5043 write /etc/owned
shelob ~ $ ls -l /etc/owned /tmp/meow
-rw-r--r-- 1 root root 1187 Mar 11 18:35 /etc/owned
-rw-r--r-- 1 root root 1186 Mar 11 18:35 /tmp/meow

  Please feel free to ask for details if they can be helpful,
 versions are unknown, but the current version is v0.18.0

Steve
-- 
http://www.steve.org.uk/

Current thread:

CVE-Request - pen issues Steve Kemp (Mar 12)
- Re: CVE-Request - pen issues cve-assign (Mar 13)
- <Possible follow-ups>
- Re: Re: CVE-Request - pen issues Steve Kemp (Mar 13)