lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040119145506.31861.qmail@www.securityfocus.com>
Date: 19 Jan 2004 14:55:06 -0000
From: Rene <l0om@...luded.org>
To: bugtraq@...urityfocus.com
Subject: Networker 6.0  - possible symlink attack




product: networker 6.0
date: 19.01.2003
author: l0om  <l0om@...luded.org>

possible symlink attack in shutdown scribt

the networker is a backup and storeage system from fujitsu siemens.

the shutdown (nsr_shutdown) scribt from networker version 6.0 contains a 
the following:


zero_worklist()
{
[...]
        rm -f /tmp/nsrsh$$
        echo '. type: nsr group' > /tmp/nsrsh$$  # <----------------
        echo 'update work list:; completion:' >> /tmp/nsrsh$$
        nsradmin ${RESFILE} -i - < /tmp/nsrsh$$ > /dev/null 2>&1
        rm -f /tmp/nsrsh$$
}
[...]

as we all know the "$$" is no protection against symlink attacks
a user could creat a symbolic link from /tmp/nsrsh(guessed pid) 
to somewhere in the system and could create or overwrite any file
on the system because it must be executed with root priv.

a better handling would be something like:

TMPFILE=/tmp/nsrsh.$RANDOM.$RANDOM.$RANDOM.$RANDOM.$$
echo '. type: nsr group' > $TMPFILE
        echo 'update work list:; completion:' >> $TMPFILE
        nsradmin ${RESFILE} -i - < $TMPFILE > /dev/null 2>&1
        rm -f $TMPFILE

or "mktemp /tmp/phun.XXXXXX"


- have phun
 - l0om 
  - www.excluded.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ