Lucene search
K

autobuse-angel.txt

🗓️ 01 Feb 2000 00:00:00Reported by John DanieleType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 23 Views

Tools Angel and Autobuse insecurely handle temporary files, risking symlink attacks and data leaks.

Code
`Hi,  
  
This weekend I decided to play around with a couple of network  
management tools on securityfocus.com; Angel  
(http://www.paganini.net/angel/,  
and Autobuse (http://www.picante.com/~gtaylor/download/. Unfortunately,  
upon review of the source, I noticed a bad trend. Both tools handle  
temporary files insecurely. For example:  
  
In Autobuse's main perl script, line 96:  
  
if(!$test_run) {  
open OUT, ">/tmp/autobuse_report.$$"  
or die "can't open /tmp/autobuse_report.$$";  
select OUT;  
}  
  
Simple symlink attack: make a link from a file that is writable to the  
user running the script to /tmp/autobuse_report.$$ (just brute force  
the .$$ part) to overwrite the linked file. Since a lot of users will  
be putting network managements scripts in root's crontab, this poses  
a significant risk to security.  
  
Variation of the same story in Angel.pl, line 504:  
  
sub timeexec  
{  
...  
my($tempfile) = "/tmp/timeexec.$$";  
$myproc = Proc::Simple->new();  
$myproc->start("$cmd >$tempfile 2>&1");  
...  
open (CDTEMP, "$tempfile") || return (-1, ());  
...  
  
The subroutine timeexec() is called by Angel's Check_ping.pl,  
Check_load.pl and Check_disk.pl plugin scripts like this:  
  
($ret, @output) = timeexec($Default_tries, $Default_timeout, $rcmdline);  
  
I looked around for some more perl/shell scripts on securityfocus that  
exhibited the same problem and found confcollect:  
  
#!/bin/sh  
VERSION=0.1d  
COPYRIGHT='1999 Eddie Olsson <[email protected]>'  
PATH=$PATH:/sbin  
# Ls instllningar i filen /etc/confcollect.conf  
[ -f /etc/confcollect.conf ] || exit 1  
. /etc/confcollect.conf  
CFILENAME=`hostname`.`date +"%Y%m%d"`.confcollect.tar.gz  
...  
tar zcf /tmp/$CFILENAME /etc 2>/dev/null  
  
Oh, I also noticed a vulnerable example script on my slack 7 box  
at /usr/lib/m4-examples/stackovf.sh:  
(yeah, yeah, I know, who is silly enough to run this stuff as r00t? :P )  
  
#!/bin/sh  
...  
tmpfile=/tmp/t.$$  
trap `rm -f $tmpfile; exit 1' 1 2 3 15  
...  
$M4 -L999999999 > $tmpfile 2>&1  
  
OH! OH! and a really cool program that a number of ppl I know run called  
root-portal (http://driftwood.draconic.com/root-portal) contains a number  
of scripts afflicted by the same bug!:  
  
#!/bin/sh  
cd /tmp  
...  
if test "${more_recent}" = "${half_hour_ago}"  
then  
mv -f recentnews.txt recentnews.txt.old > /dev/null  
wget -q http://freshmeat.net/backend/recentnews.txt  
if test ! -f /tmp/recentnews.txt  
then  
mv -f recentnews.txt.old recentnews.txt > /dev/null  
fi  
chmod a+rw recentnews.txt  
date '+%Y%j%H%M' > /tmp/freshmeat_read.timestamp  
chmod a+rw freshmeat_read.timestamp  
fi  
  
heh, forgot to mv freshmeat_read.timestamp too eh?  
Nice way to make certain files world writable!  
  
Lets all be a bit more careful next time shall we?  
  
Rule of thumb:  
  
- Create a more secure storage directory for your temporary files.  
mkdir /home/blah; chmod 600 /home/blah  
  
- Allow the user to easily customize this directory:  
$SECUREDIR = /home/blah  
  
- Check for the existence of your temporary file before you do anything  
with it:  
  
$SECUREDIR=/home/blah  
$tmpfile=$SECUREDIR/t.$$  
if [ -e $tmpfile ]; then  
echo -e "ERROR! : temporary file exists, erasing!\r\n"; rm -rf  
$tmpfile  
fi  
  
- If necessary, ensure that the file is not a symlink:  
if( -l $tmpfile ); then ...  
  
- John Daniele  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation