[10631] in bugtraq
IBM eNetwork Firewall for AIX
daemon@ATHENA.MIT.EDU (Paul Cammidge)
Tue May 25 15:33:43 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <374AFB21.F53E23D2@pccc.co.za>
Date: Tue, 25 May 1999 20:33:53 +0100
Reply-To: Paul Cammidge <paul@PCCC.CO.ZA>
From: Paul Cammidge <paul@PCCC.CO.ZA>
To: BUGTRAQ@NETSPACE.ORG
The IBM eNetwork Firewall for AIX contains some poorly written scripts,
which create temporary files in /tmp without making any attempt to
validate the existance of the file. This allows any user with shell
access to such a firewall to corrupt or possibly modify system files by
creating links, pipes, etc with the same name.
In a simple example submitted to IBM, /etc/passwd was overwritten. This
example has been published on one of their support web pages as a 'local
fix'.
The problem was reported to IBM early in January. To the best of my
knowledge, the correct procedures have been followed. Initially, IBM
responded by telling me that it was common practice for software to make
use of /tmp. They suggested changing the permissions to prevent users
from creating symbolic links to sensitive files.
An APAR (IR39562) was opened on 18/01/99 and closed on 13/03/99. The
fix has not yet been released. This definately applies to version 3.2,
and probably others.
Anyone running this software and has users with shell accounts should be
aware that the potential exists for these users to corrupt files which
they dont have access to.
cheers
paul
