[6101] in bugtraq
Re: AIX/Gradient iFOR/LS bug: follows symlinks
daemon@ATHENA.MIT.EDU (Troy A. Bollinger)
Mon Feb 9 19:31:54 1998
Mail-Followup-To: Joerg Schumacher <schuma@gaertner.de>,
BUGTRAQ@NETSPACE.ORG, security-alert@austin.ibm.com,
ers-tech@vnet.ibm.com, dfncert@cert.dfn.de
Date: Mon, 9 Feb 1998 17:39:51 -0600
Reply-To: "Troy A. Bollinger" <troy@AUSTIN.IBM.COM>
From: "Troy A. Bollinger" <troy@AUSTIN.IBM.COM>
X-To: Joerg Schumacher <schuma@gaertner.de>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199802092232.XAA12520@aunt.gaertner.de>; from Joerg Schumacher
on Mon, Feb 09, 1998 at 11:32:45PM +0100
--VuxX8awAiJ7fD5gx
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Quoting Joerg Schumacher (schuma@gaertner.de):
> AIX 4.1 includes the iFOR/LS (formerly known as NetLS) license server=20
> from Gradient Technologies. Some parts of this system (NCS, server and=
=20
> client libs) use a cache file (/tmp/last_uuid, mode 0666), which will be=
=20
> created on the fly if missing. The code has the classical file open bug:=
=20
> it will happily follow any symlink.
>=20
> I guess IBM and Gradient had their chance to fix this bug, since I
> reported it back in december 1996 (no typo, more than a year ago).=20
> IIRC, HP-UX had (and may still have) this bug too.
>=20
20
Yes, we've had more than ample time to fix this and I personally thank
you for the patience you've shown. Unfortunately, it's difficult to
fix the bugs when you don't own the source code (I guess bugtraq
readers already know that ;-). For those keeping score this is PMR
1540x,025,724.
A simple workaround for this is to remove and recreate /tmp/last_uuid
in /sbin/rc.boot. This will limit the attack to filling the /tmp
partition.
> Some complaints: =20
>=20
> to IBM: I guess it's time to review the APAR process wrt security. =20
> Having a security related bug hanging around for more than a=
=20
> year at low priority is definitely a bad thing.
>=20
Hopefully, this case will be an exception. I'd like to think that the
process has improved significantly (e.g. the recent routed bug posted
to bugtraq had a pretty fast followup).
> to IBM-ERS: I've submitted a Cc of my original bug report to=20
> ers-tech@vnet.ibm.com but I never got any feedback.
> Granted, you don't want to us to send any reports via
> email, but this "small planet" isn't small enough to let me
> call you via phone for free.
> =20
> to DFN-CERT: Where have you been? No tracking seen despite my Cc.
> =20
IIRC, IBM-ERS and DFN-CERT harassed me about this several times... ;-)
> Thanks to Troy Bollinger (troy@austin.ibm.com) for pointing out some =20
> other insecurely created temporary files.=20
I also pointed out how to fix them didn't I? :-)
I'll update the list I sent you and post it here. Most of the
world-writable files (with the exception of /tmp/last_uuid) have been
fixed. I'd appreciate hearing about any I missed.
>=20
> Regards,
> Joerg=20
20
Thanks.
--=20
Troy Bollinger troy@austin.ibm.com
AIX Security Development security-alert@austin.ibm.com
PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy
--VuxX8awAiJ7fD5gx
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
MessageID: SJbfkmWBkesktWXBo2FkQv9otPr1lElL
iQCVAwUBNN+Tw8jqvEm3eDEpAQE8bgQAwVi5z8Tm5i3WDV2rKAqY+fm9OvSjplo7
XJSJFjdG6myZA+5NdcZcg/T53LXeU60ykY3mVicQUxG6oPe0Ev7WDsZLo5pb/pqE
LsYMk8udAnvIfVMzzSS/Qp1DppVtz8q85uvnDQtEdwEO8Jwp6RO7j2hAvu5ABE02
pccwS+WXnq8=
=i3Iy
-----END PGP SIGNATURE-----
--VuxX8awAiJ7fD5gx--
