GIPTables Firewall Unsafe Temporary File Lets Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1014109
|
|
SecurityTracker URL: http://securitytracker.com/id?1014109
|
|
CVE Reference: CAN-2005-1878
(Links to External Site)
|
Updated: Jun 9 2005
|
Original Entry Date: Jun 6 2005
|
Impact: Modification of system information, Modification of user information, Root access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.1
|
Description: Eric Romang from ZATAZ Audit reported a vulnerability in GIPTables Firewall. A local user can gain elevated privileges.
The application creates a temporary file '/tmp/temp.ip.addresses' in an unsafe manner. A local user can create a symbolic link (symlink)
from a critical file on the system to the temporary file. Then, when the target root user runs the application to configure or
reconfigure the firewall rules, the symlinked file may be overwritten with the privileges of the target user.
The vendor was
notified on May 22, 2005, without response.
The original advisory is available at:
http://www.zataz.net/adviso/giptables-05222005.txt
|
Impact: A local user can gain the privileges of the target user running the application.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.giptables.org/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Any)
|
Reported By: ZATAZ Audits <exploits@zataz.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 06 Jun 2005 10:05:01 +0200
From: ZATAZ Audits <exploits@zataz.net>
Subject: GIPTables Firewall <= v1.1 insecure temporary file creation
|
#########################################################
GIPTables Firewall insecure temporary file creation
Vendor: http://www.giptables.org/
Advisory: http://www.zataz.net/adviso/giptables-05222005.txt
Vendor informed: yes
Exploit available: yes
Impact : medium
Exploitation : low
#########################################################
The vulnerability is caused due to temporary file being created
insecurely. This can be exploited via symlink attacks in combination
with a race condition to create and overwrite arbitrary files with the
privileges of the user running the affected script.
It is also possible to cause a Denial of Service by manipulating the
ip adresses present into the temporary file
The exploitation require that the root configure or reconfigure his
firewall rules.
##########
Versions:
##########
GIPTables Firewall <= v1.1
##########
Solution:
##########
non solution yet.
#########
Timeline:
#########
Discovered : 2005-05-22
Vendor notified : 2005-05-22
Vendor response : no response
Vendor fix : no fix
Disclosure : 2005-06-06
#####################
Technical details :
#####################
Vulnerable code :
- - -----------------
# Network Ghouls
[ "$NETWORK_GHOULS" == "yes" ] && \
[ "$DEBUG" = "on" ] && echo -e "\n# Network Ghouls"
if [ "$NETWORK_GHOULS" == "yes" ] && [ -f
"$GIPTABLES_BLOCKED_FILE" ]; then
deny_file="$GIPTABLES_BLOCKED_FILE"
temp_file="/tmp/temp.ip.addresses"
cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" | awk '
$1 ' > $temp_file
while read ip_addr
do
drop_ipaddr interface0_in source $ip_addr && \
drop_ipaddr interface0_out destination $ip_addr
[ -n "$INTERFACE1" ] && \
drop_ipaddr interface1_in source $ip_addr && \
drop_ipaddr interface1_out destination $ip_addr
[ -n "$INTERFACE1" ] && \
drop_ipaddr network1_in source $ip_addr && \
drop_ipaddr network1_out destination $ip_addr
done < $temp_file
rm -f $temp_file > /dev/null 2>&1
unset temp_file
unset deny_file
fi
#########
Related :
#########
nothing related
##############
Possible fix :
##############
deny_file="$GIPTABLES_BLOCKED_FILE"
if mkdir "/tmp/.giptables.$$"; then
chmod 700 /tmp/.giptables.$$
temp_file="/tmp/.giptables.$$/temp.ip.addresses"
else
echo "$Error: failed to create temporary file" 1>&2
exit 1
fi
temp_file="/tmp/.giptables.$$/temp.ip.addresses"
#####################
Credits :
#####################
Eric Romang (eromang@zataz.net - ZATAZ Audit)
|
|
