Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_4

Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: Xinetd /tmp race?

Re: Xinetd /tmp race?

Marc Heuse (marcSUSE.DE)
Fri, 13 Nov 1998 09:09:06 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Marc Slemko: "Re: NT DNS hacked ... ?"
Previous message: Kragen: "Re: catdoc-0.90 buffer overruns"
Maybe in reply to: Balazs Nagy: "Xinetd /tmp race?"
Next in thread: Pavel Kankovsky: "Re: Xinetd /tmp race?"

Hi,

> If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but
> this method isn't checked against /tmp, and it happily overwrites anything
> in the place of that file.  The package has been released in 1997, IMHO this
> is too old to have a bug of this kind hidden.

hmm you did inform the xinetd maintainer in the first place, right?

an update for Suse Linux distributions is available at ftp.suse.com.

> BTW here's the patch:

your patch leaves xinted still vulnerable.
Here's the one we issued (which was also sent to the maintainer).
It's hard to secure a create-or-append open call, anyone with an
idea for a standard solution?
[This patch leave xinetd vulnerable if /tmp is not sticky, so it's
not 100% without changing the design or location of how the dump
should be done. But a system without a sticky /tmp is a problem anyway]

--- internals.c.orig    Wed Jan 24 20:32:46 1996
+++ internals.c Thu Nov 12 11:18:39 1998
 -8,6 +8,7 

 #include <sys/types.h>
 #include <sys/stat.h>
+#include <unistd.h>
 #ifdef linux
 #include <sys/time.h>
 #endif
 -54,9 +55,24 
        time_t current_time ;
        register int fd ;
        register unsigned u ;
+       struct stat stat ;
        char *func = "dump_internal_state" ;

-       dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_APPEND, DUMP_FILE_MODE ) ;
+       dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_EXCL, DUMP_FILE_MODE ) ;
+       if ( dump_fd == -1 )
+       {
+               if ( lstat( dump_file, &stat) != 0)
+               {
+                       msg( LOG_ERR, func, "failed to open %s: %m", dump_file ) ;
+                       return ;
+               }
+               if (stat.st_uid != getuid())
+               {
+                       msg( LOG_ERR, func, "security: I'm not owning %s: %m", dump_file ) ;
+                       return ;
+               }
+               dump_fd = open( dump_file, O_WRONLY + O_APPEND) ;
+       }
        if ( dump_fd == -1 )
        {
                msg( LOG_ERR, func, "failed to open %s: %m", dump_file ) ;



Greets,
        Marc
--
  Marc Heuse, S.u.S.E. GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
  Email: marcsuse.de      Function: Security Support & Auditing
  issue a  "finger marcsuse.de | pgp -fka" for my public pgp key

Next message: Marc Slemko: "Re: NT DNS hacked ... ?"
Previous message: Kragen: "Re: catdoc-0.90 buffer overruns"
Maybe in reply to: Balazs Nagy: "Xinetd /tmp race?"
Next in thread: Pavel Kankovsky: "Re: Xinetd /tmp race?"