Re: your mail

Ariel Biener (ariel@FIREBALL.TAU.AC.IL)
Sat, 26 Jul 1997 07:50:13 +0300

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "Netspace Singapore Privacy Bug"
Previous message: Matt Conover: "Multiply bugs in MH-6.8.3 (Mail Handler program)"

On Sat, 26 Jul 1997, Nicolas Dubee wrote:

> plaguez security advisory n. 8
>
> kerneld / request-route vulnerability
>
>
> Program: kerneld(1) , the kernel messages daemon handler
> request-route, a sample ppp connection script
>
> Version: all kerneld/request-route versions
>
> OS: Linux (tested on 2.0.30/Redhat 4.1 and Redhat 3.0.3)
>
> Problem: lock files, symlinks
>
> Impact: when kerneld/request-route are set up,
> any user can overwrite any file on the system.
>
>
>
> hello all,
>
> this week, we'll see a weird thing that should have been
> removed for years, but that has apparently survived in recent
> Linux versions.
>
> kerneld(1) is a daemon that "performs kernel action in user space"
> (see man page).
> request-route is a shell script that should launch pppd and
> allocate a network route 'on-the-fly' when kerneld receives
> a 'request-route' kernel message.
> It can also be configured to use other network interfaces.
>
> request-route uses a lockfile named /tmp/request-route
> where it writes its pid in.
> Unfortunatly, request-route does not check wether this
> lockfile already exists, will follow symlinks and will
> create new files mode 600...
>
> One can then create/write to any file on the affected
> system, regardless of permissions.
>
> An attacker would create a symlink from the /tmp/request-route
> file to any file on the system. He would then for example
> telnet to a host, resulting in a request-route kernel
> message. The /sbin/request-route would then be executed
> and would overwrite the file at the end of the symlink.
>
>
> Fix:
> ----

/sbin/request-route is a script. So, the script can be fixed to check for
the lock file, or whatever other security check are needed. No need to
just go and remove before finding a suitable solution.

A simple solution would be to add a:

set -o noclobber

In the script, right here:

sleep 60 &
sleepid=$!
---> set -o noclobber
echo $sleepid > $LOCK
wait $sleepid

Regards,

--Ariel

>
> rm -rf /sbin/request-route
>
>
>
>
> that's all for this week.
>
> See you later,
>
> -plaguez
>
>
>
> ------------------------
> plaguez
> dube0866@eurobretagne.fr
> http://plaguez.innu.org/
> ^^^^^^^^(soon)
> ------------------------
>

+---------------------------------------------------------+
| Ariel Biener |
| e-mail: ariel@post.tau.ac.il Work ph: 03-6406086 |
+---------------------------------------------------------+

Next message: Aleph One: "Netspace Singapore Privacy Bug"
Previous message: Matt Conover: "Multiply bugs in MH-6.8.3 (Mail Handler program)"