[Full-disclosure] GIPTables Firewall <= v1.1 insecure temporary file creation

2005-06-06T00:00:00
ID SECURITYVULNS:DOC:8797
Type securityvulns
Reporter Securityvulns
Modified 2005-06-06T00:00:00

Description

GIPTables Firewall insecure temporary file creation

Vendor: http://www.giptables.org/ Advisory: http://www.zataz.net/adviso/giptables-05222005.txt Vendor informed: yes Exploit available: yes Impact : medium Exploitation : low

The vulnerability is caused due to temporary file being created insecurely. This can be exploited via symlink attacks in combination with a race condition to create and overwrite arbitrary files with the privileges of the user running the affected script.

It is also possible to cause a Denial of Service by manipulating the ip adresses present into the temporary file

The exploitation require that the root configure or reconfigure his firewall rules.

Versions:

GIPTables Firewall <= v1.1

Solution:

non solution yet.

Timeline:

Discovered : 2005-05-22 Vendor notified : 2005-05-22 Vendor response : no response Vendor fix : no fix Disclosure : 2005-06-06

Technical details :

Vulnerable code :


Network Ghouls

[ "$NETWORK_GHOULS" == "yes" ] && \ [ "$DEBUG" = "on" ] && echo -e "\n# Network Ghouls"

if [ "$NETWORK_GHOULS" == "yes" ] && [ -f "$GIPTABLES_BLOCKED_FILE" ]; then

  deny_file=&quot;$GIPTABLES_BLOCKED_FILE&quot;
  temp_file=&quot;/tmp/temp.ip.addresses&quot;
  cat $deny_file | sed -n -e &quot;s/^[ ]*&#92;&#40;[0-9.]*&#92;&#41;.*$/&#92;1/p&quot; | awk &#39;

$1 ' > $temp_file while read ip_addr do

      drop_ipaddr interface0_in source $ip_addr && &#92;
      drop_ipaddr interface0_out destination $ip_addr

      [ -n &quot;$INTERFACE1&quot; ] &&  &#92;
      drop_ipaddr interface1_in source $ip_addr && &#92;
      drop_ipaddr interface1_out destination $ip_addr

      [ -n &quot;$INTERFACE1&quot; ] &&  &#92;
      drop_ipaddr network1_in source $ip_addr && &#92;
      drop_ipaddr network1_out destination $ip_addr

  done &lt; $temp_file
  rm -f $temp_file &gt; /dev/null 2&gt;&1
  unset temp_file
  unset deny_file

fi

Related :

nothing related

Possible fix :

deny_file="$GIPTABLES_BLOCKED_FILE"

if mkdir "/tmp/.giptables.$$"; then chmod 700 /tmp/.giptables.$$ temp_file="/tmp/.giptables.$$/temp.ip.addresses" else echo "$Error: failed to create temporary file" 1>&2 exit 1 fi temp_file="/tmp/.giptables.$$/temp.ip.addresses"

Credits :

Eric Romang (eromang@zataz.net - ZATAZ Audit)


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/