SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apcupsd Vendors:   Apcupsd Project
apcupsd Unsafe File Permissions Let Local Users Kill Arbitrary Processes
SecurityTracker Alert ID:  1008774
SecurityTracker URL:  http://securitytracker.com/id/1008774
CVE Reference:   CVE-2001-0040   (Links to External Site)
Date:  Jan 20 2004
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.7.2 and possibly earlier versions
Description:   A denial of service vulnerability was reported in apcupsd. A local user can cause arbitrary processes on the target system to be killed.

In December 2000, it was reported that the software creates a temporary file ('apcupsd.pid') in the /var/run directory and assigns unsafe 0666 permissions (i.e., global read and write permissions) to the file. A local user can overwrite the contents of the file with arbitrary process IDs to cause the specified processes to be killed by apcupsd when the daemon is restarted or stopped or when the the daemon performs shutdown.

The vendor was reported notified on July 12, 2000.

Impact:   A local user can cause arbitrary processes on the target system to be killed.
Solution:   The vendor has released a fixed version (3.8.0), available at:

http://sourceforge.net/project/showfiles.php?group_id=54413

Vendor URL:  www.apcupsd.com/ (Links to External Site)
Cause:   Access control error, Configuration error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  apcupsd 3.7.2 Denial of Service


Title:    apcupsd 3.7.2 Denial of Service

Affected Application:    apcupsd daemon

Affected Versions:    3.7.2 and maybe prior

Not affected:    3.8.0 and above

Affected Platforms:    all Linux / Unix

Vulnerability Class:    Denial of Service (local)

Author Notified:    Yes    July 12th 2000

Fix available:    Yes (included)


Description:

Apcupsd is a daemon for controlling most of APC's UPS models on Unix and
Windows machines. The Unix daemon runs as root and shuts the machine down in
case of a power failure.


Problem:

During startup apcupsd creates a PID-file named "apcupsd.pid" in /var/run
(system specific, maybe other directory) with the ID of the daemon process,
this PID-file is used by the shutdown-script to kill the daemon process.

Unfortunatly this PID-file ist world-writeable (Mode 666, -rw-rw-rw). A
malicious user can overwrite the file with arbitrary process ID's, these
processes will be killed instead of the apcupsd process during restart or
stop of the apcupsd daemon and during system shutdown or restart, the whole
system can be crashed this way.


Solution:

Upgrade to apcupsd Version 3.8.0 .

It's available at:

http://www.sibbald.com/apcupsd/
http://www.oasi.gpa.it/riccardo/linux/apcupsd/
ftp://ftp.oasi.gpa.it/pub/apcupsd/


User's who don't want to upgrade can add two lines to the "start" section in
the apcupsd startup script in /etc/rc.d or /sbin/init.d :

---begin---

     start)
         rm -f /etc/apcupsd/powerfail
         rm -f /etc/nologin
         echo -n "Starting apcupsd power management"
         $APCUPSD || return=$rc_failed

         # give the daemon some little time to create the PID-file
         sleep 1

         #now simply chmod the PID-file to Mode 644
         chmod 644 /var/run/apcupsd.pid

         echo -e "$return"
     ;;

---end---



Mattias Dartsch

matze@joonix.de


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC