The author (Darren Reed) was notified about this problem early April. I believe it has been fixed in the latest version. FERALMONKEY SECURITY ADVISORY - IPFILTER v3.2.10 Title: FSA-99.04-IPFILTER-v3.2.10 Date: April 4th, 1999 Author: garath <garathat_private> Vendor Notified: Yes Status: public Problem Description: The IPFilter package is a freely distributable TCP/IP packet filter, designed primarily for use in a firewalled environment. The package includes a series of kernel additions and modifications, and various applications. A problem exists in its method of creating files for saving output. fopen, in ip_fil.c, is used to open the saved output file in an insecure manner: sprintf(fname, "/tmp/%s", ifp->if_xname); if ((fp = fopen(fname, "w"))) fclose(fp); This problem has existed in IPFilter since v3.2.3. The package comes with the following operating systems: o OpenBSD o FreeBSD (post 2.2) o NetBSD (post 1.2) and has been tested and run on: o Solaris/Solaris-x86 2.3 - 2.6 o SunOS 4.1.1 - 4.1.4 o BSD/OS 1.1 - 3.1 o IRIX 6.2 o Linux 2.0.31 - 2.0.35 Impact: Any user, anticpating priviledged usage of these routines, can create a symbolic link which could effectively clobber arbitrary system files. Because none of the commands which use this vulnerable routine are setuid, normal users cannot create files in system directories. Environment: Testing was performed using IPFilter v3.2.10 in OpenBSD 2.5-beta. Solution: Do not place lockfiles in /tmp. Each flavor listed above has a specific directory for such files, ie, "/var/run" in FreeBSD, OpenBSD, and NetBSD. When opening these files, use open with O_EXCL and fdopen, rather than fopen. --EOF Cheers, Nick -- Therefore those skilled at the unorthodox are as infinite as heaven and earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:35 PDT