SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Dump Vendors:   [Multiple Authors/Vendors]
Dump Lets Local Users Deny Service By Locking a Certain File
SecurityTracker Alert ID:  1014620
SecurityTracker URL:  http://securitytracker.com/id/1014620
CVE Reference:   CVE-2002-1914   (Links to External Site)
Date:  Aug 3 2005
Impact:   Denial of service via local system


Description:   In July 2002, a vulnerability was reported in Dump. A local user can cause denial of service conditions.

A local user can invoke the flock() function on certain files that are used for critical system applications to deny service to those applications.

The 'dump' application is affected. A local user can lock the '/etc/dumpdates' file to cause dump to fail to run.

The 'tip' application is also affected. A local user can lock the '/var/log/acculog' file to cause denial of service conditions.

Lumpy reported this vulnerability.

Impact:   A local user can cause the 'dump' application to fail.
Solution:   Some operating system distribution vendors have issued fixes for their distributions.
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 3 2005 (Red Hat Issues Fix) Dump Lets Local Users Deny Service By Locking a Certain File
Red Hat has released a fix.



 Source Message Contents

Subject:  asciiSECURE advisory (2002-07-17/1)

____________________________________________________________________________
ASCII HEADER ADVISORY !! ALERT !! ASCII HEADER ADVISORY !! ALERT !! ASCII HE
:::::::: ADDIUNG A POORLY GENERATED ASCII HEADERZ FOR BUGTACKY READERZAAZSZ!
:::::apparentlytheonlywaytogetamessageacceptedonbugtraqistodothis:::::::::::
:::GREETZ2MOIher0z...mali/malificient/the mali amazing san fran treat:::::::
____________________________________________________________________________
Summary:  The BSDs, and even SUSE has been warned of this problem
	but for some reason they decided to ignore it, and act like it
	wasnt worth fixing.  Well, thats cool and all, unless you actually
	care about your system being able to do such basic features as:

			+ BACK UP DATA USING 'dump'
			+ USE SEVERAL MODEM BASED PROGRAMS USING 'tip'

	Any system user using 'flock()' can prevent the above features
	from working.
____________________________________________________________________________

Vulnerable OSes:
			ALL RELEASED VERSIONS OF:

			+ OpenBSD (SEQUOORITY CONSCIENCESSOUS OPERATING
					SYSTEM THAT DISREGARDS LOCAL SECURITY!)
			+ FreeBSD
			+ NetBSD
			+ SUSE Linoocks

			(All have been notified, and none have provided
			 suitable responses indicating fixes that will
			 be implemented.  If they have gotten around to
			 fixing it in the window between then and now,
			 shame on them for not contacting us back and
			 letting us know. We have a tight schedule at
			 WENDY'S, yo.  DAIRYFR33Z3 MANG)
____________________________________________________________________________
Creditz: Dead M1ke, the amazing wonder c0w, and Maynard the Public Works CSR
____________________________________________________________________________

Explanation:

		[SNIPPETS TO MAKE ME SOUND MORE BELIEVABLE!!$!$]
	----------------------------------
        (void) flock(fileno(df), LOCK_SH);
        readdumptimes(df);
        (void) fclose(df);
	----------------------------------

			The application 'dump' is used by system
		administrators to backup filesystems.  If your system
		gets compromised, its generally nice to have backups,
		but ANY USER can stop dump from being able to run simply
		by flock()ing the /etc/dumpdates file.

			It has been said before that flock security holes
		are 'unlikely' and 'easy to track down', but this was only
		said in reference to a small minded view of the method of
		attack.  A clever system penetrator would definitely be
		able to use this to their advantage, especially as a
		'nobody' user run out of a web server.  Thats just one
		simple example, but if youre creative you could think of
		more.

			Perhaps you dont use dump, but you do use an
		application that uses 'tip' to communicate with a serial
		device.  Do you use it for notification?  I wouldnt on
		BSD or Linux and heres why.. if 'ACCULOG' is flocked
		(generally /var/log/acculog), it will freeze dead in its
		tracks too.

			There are more instances of questionable uses of
		flock()ing, but since we cant even get these ones fixed,
		its hard to imagine they would be worth writing about.
____________________________________________________________________________

Exploit:

		If youre using freebsd, you simply use the /usr/bin/lockf
		command.  Other people can compile that.. grab it off of
		http://www.freebsd.org/.

		Thats all you need, and you can do really bad things on
		a system..

		HOWEVER -- it seems bugtraq is all about no name CGIs from
		russia that have poor perl mistakes and are exploitable on
		all of 3 servers in the world, so maybe you wont see this
		warning. SUCKS TO BE YOU I GUESS.
____________________________________________________________________________

PEACE
____________________________________________________________________________
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC