SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   GIPTables Firewall Vendors:   giptables.org
GIPTables Firewall Unsafe Temporary File Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1014109
SecurityTracker URL:  http://securitytracker.com/id/1014109
CVE Reference:   CVE-2005-1878   (Links to External Site)
Updated:  Jun 9 2005
Original Entry Date:  Jun 6 2005
Impact:   Modification of system information, Modification of user information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.1
Description:   Eric Romang from ZATAZ Audit reported a vulnerability in GIPTables Firewall. A local user can gain elevated privileges.

The application creates a temporary file '/tmp/temp.ip.addresses' in an unsafe manner. A local user can create a symbolic link (symlink) from a critical file on the system to the temporary file. Then, when the target root user runs the application to configure or reconfigure the firewall rules, the symlinked file may be overwritten with the privileges of the target user.

The vendor was notified on May 22, 2005, without response.

The original advisory is available at:

http://www.zataz.net/adviso/giptables-05222005.txt

Impact:   A local user can gain the privileges of the target user running the application.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.giptables.org/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  GIPTables Firewall <= v1.1 insecure temporary file creation


#########################################################

GIPTables Firewall insecure temporary file creation

Vendor: http://www.giptables.org/
Advisory: http://www.zataz.net/adviso/giptables-05222005.txt
Vendor informed: yes
Exploit available: yes
Impact : medium
Exploitation : low

#########################################################

The vulnerability is caused due to temporary file being created 
insecurely. This can be exploited via symlink attacks in combination 
with a race condition to create and overwrite arbitrary files with the 
privileges of the user running the affected script.

It is also possible to cause a Denial of Service by manipulating the
ip adresses present into the temporary file

The exploitation require that the root configure or reconfigure his
firewall rules.

##########
Versions:
##########

GIPTables Firewall <= v1.1

##########
Solution:
##########

non solution yet.

#########
Timeline:
#########

Discovered : 2005-05-22
Vendor notified : 2005-05-22
Vendor response : no response
Vendor fix : no fix
Disclosure : 2005-06-06

#####################
Technical details :
#####################

Vulnerable code :
- - -----------------

# Network Ghouls

[ "$NETWORK_GHOULS" == "yes" ] && \
[ "$DEBUG" = "on" ] && echo -e "\n# Network Ghouls"

if [ "$NETWORK_GHOULS" == "yes" ] && [ -f
"$GIPTABLES_BLOCKED_FILE" ]; then

      deny_file="$GIPTABLES_BLOCKED_FILE"
      temp_file="/tmp/temp.ip.addresses"
      cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" | awk '
$1 ' > $temp_file
      while read ip_addr
      do

          drop_ipaddr interface0_in source $ip_addr && \
          drop_ipaddr interface0_out destination $ip_addr

          [ -n "$INTERFACE1" ] &&  \
          drop_ipaddr interface1_in source $ip_addr && \
          drop_ipaddr interface1_out destination $ip_addr

          [ -n "$INTERFACE1" ] &&  \
          drop_ipaddr network1_in source $ip_addr && \
          drop_ipaddr network1_out destination $ip_addr

      done < $temp_file
      rm -f $temp_file > /dev/null 2>&1
      unset temp_file
      unset deny_file

fi

#########
Related :
#########

nothing related

##############
Possible fix :
##############

deny_file="$GIPTABLES_BLOCKED_FILE"

if mkdir "/tmp/.giptables.$$"; then
	chmod 700 /tmp/.giptables.$$
         temp_file="/tmp/.giptables.$$/temp.ip.addresses"
	else
         echo "$Error: failed to create temporary file" 1>&2
         exit 1
     fi
     temp_file="/tmp/.giptables.$$/temp.ip.addresses"


#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC