Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnwatch: GIPTables Firewall <= v1.1 insecure temporary file creation

GIPTables Firewall <= v1.1 insecure temporary file creation

From: ZATAZ Audits <exploits_at_zataz.net>
Date: Mon, 06 Jun 2005 10:05:01 +0200

#########################################################

GIPTables Firewall insecure temporary file creation

Vendor: http://www.giptables.org/
Advisory: http://www.zataz.net/adviso/giptables-05222005.txt
Vendor informed: yes
Exploit available: yes
Impact : medium
Exploitation : low

#########################################################

The vulnerability is caused due to temporary file being created
insecurely. This can be exploited via symlink attacks in combination
with a race condition to create and overwrite arbitrary files with the
privileges of the user running the affected script.

It is also possible to cause a Denial of Service by manipulating the
ip adresses present into the temporary file

The exploitation require that the root configure or reconfigure his
firewall rules.

##########
Versions:
##########

GIPTables Firewall <= v1.1

##########
Solution:
##########

non solution yet.

#########
Timeline:
#########

Discovered : 2005-05-22
Vendor notified : 2005-05-22
Vendor response : no response
Vendor fix : no fix
Disclosure : 2005-06-06

#####################
Technical details :
#####################

Vulnerable code :
- - -----------------

# Network Ghouls

[ "$NETWORK_GHOULS" == "yes" ] && \
[ "$DEBUG" = "on" ] && echo -e "\n# Network Ghouls"

if [ "$NETWORK_GHOULS" == "yes" ] && [ -f
"$GIPTABLES_BLOCKED_FILE" ]; then

      deny_file="$GIPTABLES_BLOCKED_FILE"
      temp_file="/tmp/temp.ip.addresses"
      cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" | awk '
$1 ' > $temp_file
      while read ip_addr
      do

          drop_ipaddr interface0_in source $ip_addr && \
          drop_ipaddr interface0_out destination $ip_addr

          [ -n "$INTERFACE1" ] && \
          drop_ipaddr interface1_in source $ip_addr && \
          drop_ipaddr interface1_out destination $ip_addr

          [ -n "$INTERFACE1" ] && \
          drop_ipaddr network1_in source $ip_addr && \
          drop_ipaddr network1_out destination $ip_addr

      done < $temp_file
      rm -f $temp_file > /dev/null 2>&1
      unset temp_file
      unset deny_file

fi

#########
Related :
#########

nothing related

##############
Possible fix :
##############

deny_file="$GIPTABLES_BLOCKED_FILE"

if mkdir "/tmp/.giptables.$$"; then
        chmod 700 /tmp/.giptables.$$
         temp_file="/tmp/.giptables.$$/temp.ip.addresses"
        else
         echo "$Error: failed to create temporary file" 1>&2
         exit 1
     fi
     temp_file="/tmp/.giptables.$$/temp.ip.addresses"

#####################
Credits :
#####################

Eric Romang (eromang_at_zataz.net - ZATAZ Audit)
Received on Jun 06 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos