Rick Perry <perryat_private> writes: > I believe that the powerchute software will not listen on the net if you > have the following in powerchute.ini > > [ Network ] > UseTCP = NO > > I didn't yet try your exploit, but with UseTCP set to NO this machine doesn't > show up in the list of remote ups's when using the powerchute admin interface > from another machine on the same subnet. [All my observations are from PowerChute Plus for Unix, v4.2.2 on Solaris 2.6] This means that anyone on the local machine who has a copy of the powerchute client can talk to the daemon. When UseTCP is set to YES it seems that the server only listens to network connections, if it is set to NO then it listens with local (unix domain ?) sockets. These seem to be in /tmp and world accessable. As a random test user on my machine I can talk to the daemon using a copy of the client, with a minimal config file and all owned by the test user. The installation directory of powerchute is only readable by root. I have a BackUPS and was able to alter the (unreadable to the user) system powerchute.ini file. With this you could set the machine to shut itself down when powerchute is started ... With a SmartUPS it would be trivial to shut the UPS down right there and then. You can probably also shut down a BackUPS with the supplied tools (I don't weant to do this right now for obviousa reasons). There are also IMO lesser, but still stupid and important, issue of /tmp files opened unsafely (in the client and the server). All of the programs that are directly called have a TMPDIR enviroment variable that is set in a wrapper script (along with the location of the code PWRCHUTE): I created a tmp directory (only r/w by root and my staff group) in the installation directory and have changed the line > TMPDIR=/tmp to > TMPDIR=$PWRCHUTE/tmp in the files powerchute, upsd and xpowerchute in the installation directory. The server appears to create the pipes happily, but the client won't connect to the server even though a truss of _cpwrchute (the binary for the text client) shows it appears to use the new tmp dir and tries to talk to the server. >From powerchute.err: 04/14/98 16:02:44 Server: unable to verify alertConnection 04/14/98 16:02:52 fifo read failure Invalid argument. While looking for other instances of /tmp hardcoded I found such gems as: > grep Santa /etc/perms/inst > /tmp/what_os.tmp 2>/dev/null from what_os.sh but the calling of this unsafe code seems to not be done (commented out function calls). The pager script (dialpager.sh) has: > tmpfile=/tmp/$$.page The mailer script (mailer.sh) does rm -f on filenames that are passed to it as command line options. I'm sure there are far more possible explits than this ... Don't run PowerChute, it seems. Anyone know of a good replacement for use with an APC BackUPS ? :( \pir -- pir pirat_private pirat_private pirat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:14 PDT