Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_4

Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: Xinetd /tmp race?

Re: Xinetd /tmp race?

Wayne Schroeder (filelandSOUND.NET)
Wed, 11 Nov 1998 13:40:29 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mnemonix: "WARNING: Another ICQ IP address vulnerability"
Previous message: xnec: "Re: world-readable shadow backups in SuSe 5.2"
In reply to: Balazs Nagy: "Xinetd /tmp race?"
Next in thread: Marc Heuse: "Re: Xinetd /tmp race?"

My xinetd (2.2.1-5) from debian hamm does this.. but if you will notice
HUP is NOT used anywhere like inetd does.  HUP is used only to cause it to
dump info.. as documented.  Sig 10 is reload.  YES it IS a race... but the
dump file can easily be changed to something else in the source config.


Wayne



 On Wed, Nov 11, 1998 at 03:28:03AM +0100, Balazs Nagy wrote:
> Hiyas,
>
> If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but
> this method isn't checked against /tmp, and it happily overwrites anything
> in the place of that file.  The package has been released in 1997, IMHO this
> is too old to have a bug of this kind hidden.
>
> BTW here's the patch:
> diff -ruN xinetd-2.2.1.orig/xinetd/internals.c
> xinetd-2.2.1/xinetd/internals.c
> --- xinetd-2.2.1.orig/xinetd/internals.c        Sun Nov  8 13:28:00 1998
> +++ xinetd-2.2.1/xinetd/internals.c     Sun Nov  8 13:27:33 1998
>  -55,7 +55,14 
>         register int fd ;
>         register unsigned u ;
>         char *func = "dump_internal_state" ;
> +       struct stat sb;
>
> +       if (!(stat(dump_file,
> &sb)==-1&&errno==ENOENT)&&(!S_ISREG(sb.st_mode)||sb.st_nlink>1))
> +       {
> +               msg( LOG_ERR, func, "failed to open %s: maybe a vulnerable
> link", dump_file ) ;
> +               return ;
> +       }
> +
>         dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_APPEND,
> DUMP_FILE_MODE ) ;
>         if ( dump_fd == -1 )
>         {
> --
>    Linux Supporting Center -- Red Hat Qmail packages -- http://lsc.kva.hu
>       PGP 0x1DE3631D / A8 B4 92 EE 1F 55 27 C8  86 64 9C 42 41 A4 BD B8

--
 [ Razathorn <filelandsound.net>                                 ]
 [ PGP public key http://www.sound.net/~fileland/pubkey.shtml     ]
 [ Finger Print: B8 9B 4B F5 67 1C A3 86  2F 91 F2 81 08 08 79 49 ]

Next message: Mnemonix: "WARNING: Another ICQ IP address vulnerability"
Previous message: xnec: "Re: world-readable shadow backups in SuSe 5.2"
In reply to: Balazs Nagy: "Xinetd /tmp race?"
Next in thread: Marc Heuse: "Re: Xinetd /tmp race?"