Xinetd /tmp race?

From: Balazs Nagy (julian7at_private)
Date: Tue Nov 10 1998 - 18:28:03 PST

Next message: Neil Bright: "Re: klogd 1.3-22 buffer overflow"

Previous message: Samuel Sparling: "Re: WWWBoard Vulnerability"
Next in thread: Glynn Clements: "Re: Xinetd /tmp race?"
Reply: Glynn Clements: "Re: Xinetd /tmp race?"
Reply: Jesús Cea Avión: "Re: Xinetd /tmp race?"
Reply: Wayne Schroeder: "Re: Xinetd /tmp race?"
Reply: Glynn Clements: "Re: Xinetd /tmp race?"
Reply: Marc Heuse: "Re: Xinetd /tmp race?"
Reply: Pavel Kankovsky: "Re: Xinetd /tmp race?"
Reply: Casper Dik: "Re: Xinetd /tmp race?"
Reply: stanislav shalunov: "Re: Xinetd /tmp race?"
Reply: Kevin Vajk: "Re: Xinetd /tmp race?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hiyas,

If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but
this method isn't checked against /tmp, and it happily overwrites anything
in the place of that file.  The package has been released in 1997, IMHO this
is too old to have a bug of this kind hidden.

BTW here's the patch:
diff -ruN xinetd-2.2.1.orig/xinetd/internals.c
xinetd-2.2.1/xinetd/internals.c
--- xinetd-2.2.1.orig/xinetd/internals.c        Sun Nov  8 13:28:00 1998
+++ xinetd-2.2.1/xinetd/internals.c     Sun Nov  8 13:27:33 1998
@@ -55,7 +55,14 @@
        register int fd ;
        register unsigned u ;
        char *func = "dump_internal_state" ;
+       struct stat sb;

+       if (!(stat(dump_file,
&sb)==-1&&errno==ENOENT)&&(!S_ISREG(sb.st_mode)||sb.st_nlink>1))
+       {
+               msg( LOG_ERR, func, "failed to open %s: maybe a vulnerable
link", dump_file ) ;
+               return ;
+       }
+
        dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_APPEND,
DUMP_FILE_MODE ) ;
        if ( dump_fd == -1 )
        {
--
   Linux Supporting Center -- Red Hat Qmail packages -- http://lsc.kva.hu
      PGP 0x1DE3631D / A8 B4 92 EE 1F 55 27 C8  86 64 9C 42 41 A4 BD B8

Next message: Neil Bright: "Re: klogd 1.3-22 buffer overflow"
Previous message: Samuel Sparling: "Re: WWWBoard Vulnerability"
Next in thread: Glynn Clements: "Re: Xinetd /tmp race?"
Reply: Glynn Clements: "Re: Xinetd /tmp race?"
Reply: Jesús Cea Avión: "Re: Xinetd /tmp race?"
Reply: Wayne Schroeder: "Re: Xinetd /tmp race?"
Reply: Glynn Clements: "Re: Xinetd /tmp race?"
Reply: Marc Heuse: "Re: Xinetd /tmp race?"
Reply: Pavel Kankovsky: "Re: Xinetd /tmp race?"
Reply: Casper Dik: "Re: Xinetd /tmp race?"
Reply: stanislav shalunov: "Re: Xinetd /tmp race?"
Reply: Kevin Vajk: "Re: Xinetd /tmp race?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:48 PDT