[5022] in bugtraq
Re: your mail
daemon@ATHENA.MIT.EDU (Ariel Biener)
Mon Jul 28 11:05:01 1997
Date: Sat, 26 Jul 1997 07:50:13 +0300
Reply-To: Ariel Biener <ariel@FIREBALL.TAU.AC.IL>
From: Ariel Biener <ariel@FIREBALL.TAU.AC.IL>
X-To: Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199707260529.HAA06051@plaguez.insomnia.org>
On Sat, 26 Jul 1997, Nicolas Dubee wrote:
> plaguez security advisory n. 8
>
> kerneld / request-route vulnerability
>
>
> Program: kerneld(1) , the kernel messages daemon handler
> request-route, a sample ppp connection script
>
> Version: all kerneld/request-route versions
>
> OS: Linux (tested on 2.0.30/Redhat 4.1 and Redhat 3.0.3)
>
> Problem: lock files, symlinks
>
> Impact: when kerneld/request-route are set up,
> any user can overwrite any file on the system.
>
>
>
> hello all,
>
> this week, we'll see a weird thing that should have been
> removed for years, but that has apparently survived in recent
> Linux versions.
>
> kerneld(1) is a daemon that "performs kernel action in user space"
> (see man page).
> request-route is a shell script that should launch pppd and
> allocate a network route 'on-the-fly' when kerneld receives
> a 'request-route' kernel message.
> It can also be configured to use other network interfaces.
>
> request-route uses a lockfile named /tmp/request-route
> where it writes its pid in.
> Unfortunatly, request-route does not check wether this
> lockfile already exists, will follow symlinks and will
> create new files mode 600...
>
> One can then create/write to any file on the affected
> system, regardless of permissions.
>
> An attacker would create a symlink from the /tmp/request-route
> file to any file on the system. He would then for example
> telnet to a host, resulting in a request-route kernel
> message. The /sbin/request-route would then be executed
> and would overwrite the file at the end of the symlink.
>
>
> Fix:
> ----
/sbin/request-route is a script. So, the script can be fixed to check for
the lock file, or whatever other security check are needed. No need to
just go and remove before finding a suitable solution.
A simple solution would be to add a:
set -o noclobber
In the script, right here:
sleep 60 &
sleepid=$!
---> set -o noclobber
echo $sleepid > $LOCK
wait $sleepid
Regards,
--Ariel
>
> rm -rf /sbin/request-route
>
>
>
>
> that's all for this week.
>
> See you later,
>
> -plaguez
>
>
>
> ------------------------
> plaguez
> dube0866@eurobretagne.fr
> http://plaguez.innu.org/
> ^^^^^^^^(soon)
> ------------------------
>
+---------------------------------------------------------+
| Ariel Biener |
| e-mail: ariel@post.tau.ac.il Work ph: 03-6406086 |
+---------------------------------------------------------+
