[18075] in bugtraq
Re: apcupsd 3.7.2 Denial of Service
daemon@ATHENA.MIT.EDU (Mattias Dartsch)
Thu Dec 14 15:28:10 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <005b01c064fb$1f56b940$0200a8c0@joonix.de>
Date: Wed, 13 Dec 2000 12:50:24 +0100
Reply-To: Mattias Dartsch <matze@JOONIX.DE>
From: Mattias Dartsch <matze@JOONIX.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
the problem is a missing umask() in the main program code, this was fixed in
Version 3.8.0.
The fix in the advisory was thought as a temporary solution for people who
DON'T want to upgrade or recompile, they only have to alter the
/etc/rc.d/apcupsd script.
Setting a umask in a /etc/rc.d script can lead to strange side effects,
since this umask setting is used for the following script's too, that's
why i used chmod.
If you still want to use umask instead of chmod, you have to use a syntax
like this to avoid unwanted side effects:
---begin---
(umask 0077 ; $APCUPSD) || return=$rc_failed
---end---
(Thanks to Jukka A. Ukkonen)
greets,
Mattias Dartsch
matze@joonix.de
----- Original Message -----
From: nash <nash@ROHAN.SDSU.EDU>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Tuesday, December 12, 2000 6:55 PM
Subject: Re: [BUGTRAQ] apcupsd 3.7.2 Denial of Service
> >
> > Title: apcupsd 3.7.2 Denial of Service
> >
> > Affected Application: apcupsd daemon
> ...
> > Problem:
> >
> > During startup apcupsd creates a PID-file named "apcupsd.pid" in
/var/run
> > (system specific, maybe other directory) with the ID of the daemon
process,
> > this PID-file is used by the shutdown-script to kill the daemon process.
> >
> > Unfortunatly this PID-file ist world-writeable (Mode 666, -rw-rw-rw). A
> > malicious user can overwrite the file with arbitrary process ID's, these
> > processes will be killed instead of the apcupsd process during restart
or
> > stop of the apcupsd daemon and during system shutdown or restart, the
whole
> > system can be crashed this way.
> ...
> > User's who don't want to upgrade can add two lines to the "start"
section in
> > the apcupsd startup script in /etc/rc.d or /sbin/init.d :
>
> why not just add umask 022?
>
>
> ---begin---
>
> start)
> umask 022
> rm -f /etc/apcupsd/powerfail
> rm -f /etc/nologin
> echo -n "Starting apcupsd power management"
> $APCUPSD || return=$rc_failed
> echo -e "$return"
> ;;
>
> ---end---
>
> -Ron
> >
