| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Aug 2003 14:41:21 -0300
From: "Ademar de Souza Reis Jr." <ademar@...ectiva.com.br>
To: bugtraq@...urityfocus.com
Subject: OpenSLP initscript symlink vulnerability
Hello.
OpenSLP is an implementation of the "Service Location Protocol V2", an
IETF standards track protocol that provides a framework to allow
networking applications to discover the existence, location, and
configuration of networked services in enterprise networks.
(http://www.openslp.org)
There's a symbolic link vulnerability in one of the initscripts
provided with openslp. The slpd.all_init file uses '/tmp/route.check'
as a temporarily file in an unsafe manner.
Since this script is usually called bye the root user (to start the
service), an attacker could exploit this vuln to at least "reset"
the content of any file in the system as soon as the "start"
action is called. As a standard symlink vulnerabilty, all the attacker
needs is to create a /tmp/route.check symlink pointing to a system file.
Fortunatelly, the aforementioned initscript is not used by many
vendors (only Conectiva, accordingly to a vendor-sec
discussion). Debian distributes openslp but uses another script.
The problem affects OpenSLP 1.0.11 (and probably older versions)
and is fixed in the CVS of the project.
>From the slpd.all_init file:
"""
...
TMP_FILE=/tmp/route.check
...
ping ... > $TMP_FILE
...
rm -f $TMP_FILE
...
"""
The openslp maintainers and the guys from vendor-sec were
contacted on 2003-Aug-07 and agreed on this disclosure date.
--
Ademar de Souza Reis Jr. <ademar@...ectiva.com.br>
^[:wq!
Powered by blists - more mailing lists