[8522] in bugtraq
Re: Xinetd /tmp race?
daemon@ATHENA.MIT.EDU (Wayne Schroeder)
Thu Nov 12 16:03:50 1998
Date: Wed, 11 Nov 1998 13:40:29 -0600
Reply-To: Wayne Schroeder <fileland@SOUND.NET>
From: Wayne Schroeder <fileland@SOUND.NET>
X-To: Balazs Nagy <julian7@KVA.HU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.02.9811110326440.11996-100000@krondor.kva.hu>; from
Balazs Nagy on Wed, Nov 11, 1998 at 03:28:03AM +0100
My xinetd (2.2.1-5) from debian hamm does this.. but if you will notice
HUP is NOT used anywhere like inetd does. HUP is used only to cause it to
dump info.. as documented. Sig 10 is reload. YES it IS a race... but the
dump file can easily be changed to something else in the source config.
Wayne
On Wed, Nov 11, 1998 at 03:28:03AM +0100, Balazs Nagy wrote:
> Hiyas,
>
> If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but
> this method isn't checked against /tmp, and it happily overwrites anything
> in the place of that file. The package has been released in 1997, IMHO this
> is too old to have a bug of this kind hidden.
>
> BTW here's the patch:
> diff -ruN xinetd-2.2.1.orig/xinetd/internals.c
> xinetd-2.2.1/xinetd/internals.c
> --- xinetd-2.2.1.orig/xinetd/internals.c Sun Nov 8 13:28:00 1998
> +++ xinetd-2.2.1/xinetd/internals.c Sun Nov 8 13:27:33 1998
> @@ -55,7 +55,14 @@
> register int fd ;
> register unsigned u ;
> char *func = "dump_internal_state" ;
> + struct stat sb;
>
> + if (!(stat(dump_file,
> &sb)==-1&&errno==ENOENT)&&(!S_ISREG(sb.st_mode)||sb.st_nlink>1))
> + {
> + msg( LOG_ERR, func, "failed to open %s: maybe a vulnerable
> link", dump_file ) ;
> + return ;
> + }
> +
> dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_APPEND,
> DUMP_FILE_MODE ) ;
> if ( dump_fd == -1 )
> {
> --
> Linux Supporting Center -- Red Hat Qmail packages -- http://lsc.kva.hu
> PGP 0x1DE3631D / A8 B4 92 EE 1F 55 27 C8 86 64 9C 42 41 A4 BD B8
--
[ Razathorn <fileland@sound.net> ]
[ PGP public key http://www.sound.net/~fileland/pubkey.shtml ]
[ Finger Print: B8 9B 4B F5 67 1C A3 86 2F 91 F2 81 08 08 79 49 ]
