Date: Thu, 15 Apr 1999 17:56:02 +0000
From: 0x1c <nick@SHIBUMI.FERALMONKEY.ORG.>
To: [email protected]Subject: FSA-99.04-IPFILTER-v3.2.10
The author (Darren Reed) was notified about this problem early April. I
believe it has been fixed in the latest version.
FERALMONKEY SECURITY ADVISORY - IPFILTER v3.2.10
Title: FSA-99.04-IPFILTER-v3.2.10
Date: April 4th, 1999
Author: garath <garath@feralmonkey.org.>
Vendor Notified: Yes
Status: public
Problem Description:
The IPFilter package is a freely distributable TCP/IP packet filter, designed
primarily for use in a firewalled environment. The package includes a series of
kernel additions and modifications, and various applications. A problem exists
in its method of creating files for saving output.
fopen, in ip_fil.c, is used to open the saved output file in an insecure manner:
sprintf(fname, "/tmp/%s", ifp->if_xname);
if ((fp = fopen(fname, "w")))
fclose(fp);
This problem has existed in IPFilter since v3.2.3.
The package comes with the following operating systems:
o OpenBSD
o FreeBSD (post 2.2)
o NetBSD (post 1.2)
and has been tested and run on:
o Solaris/Solaris-x86 2.3 - 2.6
o SunOS 4.1.1 - 4.1.4
o BSD/OS 1.1 - 3.1
o IRIX 6.2
o Linux 2.0.31 - 2.0.35
Impact:
Any user, anticpating priviledged usage of these routines, can create a symbolic link which could effectively clobber arbitrary system files. Because none of
the commands which use this vulnerable routine are setuid, normal users cannot
create files in system directories.
Environment:
Testing was performed using IPFilter v3.2.10 in OpenBSD 2.5-beta.
Solution:
Do not place lockfiles in /tmp. Each flavor listed above has a specific directory for such files, ie, "/var/run" in FreeBSD, OpenBSD, and NetBSD. When opening
these files, use open with O_EXCL and fdopen, rather than fopen.
--EOF
Cheers,
Nick
--
Therefore those skilled at the unorthodox are as infinite as heaven and
earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War
