[33121] in bugtraq
Networker 6.0 - possible symlink attack
daemon@ATHENA.MIT.EDU (Rene)
Mon Jan 19 14:22:00 2004
Date: 19 Jan 2004 14:55:06 -0000
Message-ID: <20040119145506.31861.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Rene <l0om@excluded.org>
To: bugtraq@securityfocus.com
product: networker 6.0
date: 19.01.2003
author: l0om <l0om@excluded.org>
possible symlink attack in shutdown scribt
the networker is a backup and storeage system from fujitsu siemens.
the shutdown (nsr_shutdown) scribt from networker version 6.0 contains a
the following:
zero_worklist()
{
[...]
rm -f /tmp/nsrsh$$
echo '. type: nsr group' > /tmp/nsrsh$$ # <----------------
echo 'update work list:; completion:' >> /tmp/nsrsh$$
nsradmin ${RESFILE} -i - < /tmp/nsrsh$$ > /dev/null 2>&1
rm -f /tmp/nsrsh$$
}
[...]
as we all know the "$$" is no protection against symlink attacks
a user could creat a symbolic link from /tmp/nsrsh(guessed pid)
to somewhere in the system and could create or overwrite any file
on the system because it must be executed with root priv.
a better handling would be something like:
TMPFILE=/tmp/nsrsh.$RANDOM.$RANDOM.$RANDOM.$RANDOM.$$
echo '. type: nsr group' > $TMPFILE
echo 'update work list:; completion:' >> $TMPFILE
nsradmin ${RESFILE} -i - < $TMPFILE > /dev/null 2>&1
rm -f $TMPFILE
or "mktemp /tmp/phun.XXXXXX"
- have phun
- l0om
- www.excluded.org
