mailing list archives
From: dube0866 () EUROBRETAGNE FR (Nicolas Dubee)
Date: Sat, 26 Jul 1997 07:29:28 +0200
plaguez security advisory n. 8
kerneld / request-route vulnerability
Program: kerneld(1) , the kernel messages daemon handler
request-route, a sample ppp connection script
Version: all kerneld/request-route versions
OS: Linux (tested on 2.0.30/Redhat 4.1 and Redhat 3.0.3)
Problem: lock files, symlinks
Impact: when kerneld/request-route are set up,
any user can overwrite any file on the system.
this week, we'll see a weird thing that should have been
removed for years, but that has apparently survived in recent
kerneld(1) is a daemon that "performs kernel action in user space"
(see man page).
request-route is a shell script that should launch pppd and
allocate a network route 'on-the-fly' when kerneld receives
a 'request-route' kernel message.
It can also be configured to use other network interfaces.
request-route uses a lockfile named /tmp/request-route
where it writes its pid in.
Unfortunatly, request-route does not check wether this
lockfile already exists, will follow symlinks and will
create new files mode 600...
One can then create/write to any file on the affected
system, regardless of permissions.
An attacker would create a symlink from the /tmp/request-route
file to any file on the system. He would then for example
telnet to a host, resulting in a request-route kernel
message. The /sbin/request-route would then be executed
and would overwrite the file at the end of the symlink.
rm -rf /sbin/request-route
that's all for this week.
See you later,
dube0866 () eurobretagne fr