wide-dhcp.txt

1999-08-17T00:00:00
ID PACKETSTORM:15349
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `  
[ http://www.rootshell.com/ ]  
  
From form@vs.itam.nsc.ru Fri Jul 17 12:47:17 1998  
Date: Fri, 17 Jul 1998 19:52:31 +0700 (NOVST)  
From: Oleg Safiullin <form@vs.itam.nsc.ru>  
To: www-request@rootshell.com  
Subject: wide-dhcp security hole  
  
Bug found in OpenBSD port of wide-dhcp /created by me :-)/.  
  
WIDE DHCP server creates /tmp/addrpool_dump without checking if this file  
already exists, so any user can overwrite any file doing something like this:  
  
ln -s /etc/master.passwd /tmp/addrpool_dump  
  
This bug already fixed in OpenBSD ports tree. The author of wide-dhcp is  
notified.  
  
If you are currently using wide dhcp, you can fix this error by adding  
  
unlink(ADDRPOOL_DUMP) before fopen(ADDRPOOL_DUMP, "w+") in files  
server/dhcps.c  
server/database.c  
  
Sorry for patchless message - I've made this fix only over patched sources for  
OpenBSD. And of course, sorry for my poor English :)  
  
---  
* FORTRAN: God is real, unless declared integer...  
`