Hello. OpenSLP is an implementation of the "Service Location Protocol V2", an IETF standards track protocol that provides a framework to allow networking applications to discover the existence, location, and configuration of networked services in enterprise networks. (http://www.openslp.org) There's a symbolic link vulnerability in one of the initscripts provided with openslp. The slpd.all_init file uses '/tmp/route.check' as a temporarily file in an unsafe manner. Since this script is usually called bye the root user (to start the service), an attacker could exploit this vuln to at least "reset" the content of any file in the system as soon as the "start" action is called. As a standard symlink vulnerabilty, all the attacker needs is to create a /tmp/route.check symlink pointing to a system file. Fortunatelly, the aforementioned initscript is not used by many vendors (only Conectiva, accordingly to a vendor-sec discussion). Debian distributes openslp but uses another script. The problem affects OpenSLP 1.0.11 (and probably older versions) and is fixed in the CVS of the project. From the slpd.all_init file: """ ... TMP_FILE=/tmp/route.check ... ping ... > $TMP_FILE ... rm -f $TMP_FILE ... """ The openslp maintainers and the guys from vendor-sec were contacted on 2003-Aug-07 and agreed on this disclosure date. -- Ademar de Souza Reis Jr. <ademarat_private> ^[:wq!
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 11:47:08 PDT