FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 08-24-2008, 06:05 PM
"Dmitry E. Oboukhov"
 
Default Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

Package: cman
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages at once. I've
tested all the packages (for Lenny) on my Debian mirror. All scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is created
in /tmp directory, then every user can create symlink with the same
name in this directory in order to destroy or rewrite some system
or user file. Symlink attack may also lead not only to the data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial of service'
for your package scripts.

Even if you make rm(dir) for files/directories, then your system is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script. This list is sorted by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes.

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
file: /usr/share/dtc/admin/accesslog.php
file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
file: /usr/share/linuxtrade/bin/linuxtrade.wn
file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
file: /usr/bin/impose
Binary-package: mgt (2.31-5)
file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
file: /usr/lib/lmbench/scripts/rccs
file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
file: /usr/bin/optics2rad
file: /usr/bin/pdelta
file: /usr/bin/dayfact
file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
file: /usr/lib/ogle/ogle_audio_debug
file: /usr/lib/ogle/ogle_cli_debug
file: /usr/lib/ogle/ogle_ctrl_debug
file: /usr/lib/ogle/ogle_gui_debug
file: /usr/lib/ogle/ogle_mpeg_ps_debug
file: /usr/lib/ogle/ogle_mpeg_vs_debug
file: /usr/lib/ogle/ogle_nav_debug
file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
file: /usr/share/convirt/image_store/_template_/provision.sh
file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
file: /usr/share/convirt/image_store/common/provision.sh
file: /usr/share/convirt/image_store/example/provision.sh
file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
file: /usr/lib/R/bin/javareconf
file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
file: /usr/share/xmcd/scripts/ncsarmt
file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
file: /usr/lib/scilab-4.1.2/bin/scilink
file: /usr/lib/scilab-4.1.2/util/scidoc
file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
file: /usr/sbin/checksendmail
file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
file: /usr/bin/patcil
file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
file: /usr/lib/arb/SH/arb_fastdnaml
file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
file: /usr/bin/apertium-gen-deformat
file: /usr/bin/apertium-gen-reformat
file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
file: /usr/share/freeradius-dialupadmin/bin/tot_stats
file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
file: /var/lib/wims/public_html/bin/coqweb
file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
file: /usr/share/bulmages/examples/scripts/actualizabulmacont
file: /usr/share/bulmages/examples/scripts/installbulmages-db
file: /usr/share/bulmages/examples/scripts/creabulmafact
file: /usr/share/bulmages/examples/scripts/creabulmacont
file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
file: /usr/lib/xastir/get-maptools.sh
file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
file: /usr/bin/plaiter
file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-24-2008, 08:15 PM
Steve Langasek
 
Default Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

severity 496410 important
thanks

On Sun, Aug 24, 2008 at 10:05:29PM +0400, Dmitry E. Oboukhov wrote:
> Package: cman
> Severity: grave

> Binary-package: cman (2.20080629-1)
> file: /usr/sbin/fence_egenera

The broken usage is:

local *egen_log;
open(egen_log,">/tmp/eglog");
[...]
print egen_log "shutdown: $trys $status
";
[...]
print egen_log "shutdown: crash dump being performed. Waiting
";
[...]
print egen_log "shutdown: $cmd being called, before open3
";
[...]
print egen_log "shutdown: after calling open3
";
[...]
print egen_log "shutdown: Open3 result: ", @outlines, "
";
[...]
print egen_log "shutdown: Returning from pserver_shutdown with return code $rtrn
";

This is, of course, wrong, and subject to symlink attack. However, I don't
see any way that this can be exploitable for privilege escalation, which is
the standard for 'grave' severity security bugs: it doesn't allow arbitrary
output to the file, only a finite set of strings which are not valid shell,
cron entries, password/shadow entries, or any other config file that I know
of.

So at best this appears to be a DoS symlink attack; therefore downgrading.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-25-2008, 06:40 AM
"Dmitry E. Oboukhov"
 
Default Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

tags 496410 security
thanks

On 13:15 Sun 24 Aug , Steve Langasek wrote:
SL> severity 496410 important
SL> thanks

You are mistake

Your script places in /usr/sbin, ie it runs with root privs.
If I create symlink /etc/shadow -> /tmp/eglog and You start this script,
then your system 'll damaged.

Please, check it again (and please, revert severity level)

SL> On Sun, Aug 24, 2008 at 10:05:29PM +0400, Dmitry E. Oboukhov wrote:
SL>> Package: cman
SL>> Severity: grave

SL>> Binary-package: cman (2.20080629-1)
SL>> file: /usr/sbin/fence_egenera

SL> The broken usage is:

SL> local *egen_log;
SL> open(egen_log,">/tmp/eglog");
SL> [...]
SL> print egen_log "shutdown: $trys $status
";
SL> [...]
SL> print egen_log "shutdown: crash dump being performed. Waiting
";
SL> [...]
SL> print egen_log "shutdown: $cmd being called, before open3
";
SL> [...]
SL> print egen_log "shutdown: after calling open3
";
SL> [...]
SL> print egen_log "shutdown: Open3 result: ", @outlines, "
";
SL> [...]
SL> print egen_log "shutdown: Returning from pserver_shutdown with return code $rtrn
";

SL> This is, of course, wrong, and subject to symlink attack. However, I don't
SL> see any way that this can be exploitable for privilege escalation, which is
SL> the standard for 'grave' severity security bugs: it doesn't allow arbitrary
SL> output to the file, only a finite set of strings which are not valid shell,
SL> cron entries, password/shadow entries, or any other config file that I know
SL> of.

SL> So at best this appears to be a DoS symlink attack; therefore downgrading.
--

. '`. Dmitry E. Oboukhov
: :’ : unera@debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
 
Old 08-25-2008, 06:57 AM
Steve Langasek
 
Default Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

On Mon, Aug 25, 2008 at 10:40:31AM +0400, Dmitry E. Oboukhov wrote:
> On 13:15 Sun 24 Aug , Steve Langasek wrote:
> SL> severity 496410 important
> SL> thanks

> You are mistake

> Your script places in /usr/sbin, ie it runs with root privs.
> If I create symlink /etc/shadow -> /tmp/eglog and You start this script,
> then your system 'll damaged.

The standard for grave-severity security bugs in Debian is "can be used by
an attacker to gain control of an account of a user who uses this package",
not "can be used by an attacker to create a Denial of Service by breaking
the system". Writing this garbage to /etc/shadow will not result in
privilege escalation, it will only result in a broken system; therefore, it
is my understanding that this is not a grave bug.

So I don't think I've made a mistake here.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-27-2008, 03:12 PM
"Dmitry E. Oboukhov"
 
Default Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

severity 496410 grave
thanks

SL> So I don't think I've made a mistake here.

You are mistake, see
http://www.debian.org/Bugs/Developer.en.html#severities

quote:

grave
makes the package in question unusable or mostly so, or causes data
loss, or introduces a security hole allowing access to the accounts
of users who use the package.


_or_ _causes_ _data_ _loss_

create symlink /etc/shadow -> /tmp/eglog and you are loss
data of /etc/shadow

--
... mpd is off

. '`. Dmitry E. Oboukhov
: :’ : mailto://unera@debian.org jabber://UNera@uvw.ru
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
 
Old 08-27-2008, 03:26 PM
Bastian Blank
 
Default Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

severity 496410 important
thanks

On Wed, Aug 27, 2008 at 07:12:29PM +0400, Dmitry E. Oboukhov wrote:
> _or_ _causes_ _data_ _loss_

It does not cause data loss, the admin needs to execute it. And now stop
bitching around.

Bastian

--
Superior ability breeds superior ambition.
-- Spock, "Space Seed", stardate 3141.9



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-11-2008, 11:56 AM
Tobias Klauser
 
Default Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

Hi,

It looks like there are some more tempfile creation problems in the
redhat-cluster source package.

1) In rgmanager/src/daemons/main.c (line 707):

void
dump_internal_state(char *loc)
{
FILE *fp;
fp=fopen(loc, "w+");
dump_config_version(fp);
dump_threads(fp);
dump_vf_states(fp);
#ifdef WRAP_THREADS
dump_thread_states(fp);
#endif
dump_cluster_ctx(fp);
//malloc_dump_table(fp, 1, 16384); /* Only works if alloc.c us used */
fclose(fp);
}
...
dump_internal_state("/tmp/rgmanager-dump");

This file is part of the binary clurgmgrd (package rgmanager) which is run as
root.

2) In gfs2/edit/savemeta.c (line 27):

#define DFT_SAVE_FILE "/tmp/gfsmeta"
...
if (!out_fn)
out_fn = DFT_SAVE_FILE;
out_fd = open(out_fn, O_RDWR | O_CREAT, 0644);
if (out_fd < 0)
die("Can't open %s: %s
", out_fn, strerror(errno));

if (ftruncate(out_fd, 0))
die("Can't truncate %s: %s
", out_fn, strerror(errno));

This file is part of the binary gfs2_edit (package gfs2-tools) which is run as
root.

3) In ccs/ccs_tool/upgrade.c (line 223):

sprintf(tmp_file, "/tmp/tmp_%d", getpid());

tmp_fd = open(tmp_file, O_RDWR | O_CREAT |O_TRUNC, S_IRUSR|S_IWUSR)
...
unlink(tmp_file);

The filename is only depended on the PID of the process. Though, the binary
ccs_tool does not seem to be part of any package built from the redhat-cluster
source package.

Cheers, Tobias



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 10-17-2008, 12:23 PM
Nico Golde
 
Default Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

Hi,
the following two additional CVE ids have been assigned to
symlink issues in cman & redhat-cluster:
CVE-2008-4579[0]:
| The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a)
| fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode,
| allows local users to append to arbitrary files via a symlink attack
| on the apclog temporary file.

CVE-2008-4580[1]:
| fence_manual in fence allows local users to modify arbitrary files via
| a symlink attack on the fence_manual.fifo temporary file.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4579
http://security-tracker.debian.net/tracker/CVE-2008-4579
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4580
http://security-tracker.debian.net/tracker/CVE-2008-4580

Cheers
Nico

--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
 
Old 11-18-2008, 06:40 PM
Stefan Fritsch
 
Default Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

The new upstream version that fixes this bug introduces a lot of other
changes and doesn't seem acceptable for lenny.


Is anyone working on backporting the fix for a t-p-u upload? I can
probably do it later this week but I don't want to duplicate work.


Cheers,
Stefan



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 09:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org