Security vulnerability in IPFilter v3.2.10 and earlier versions allows local user to gain increased privileges and/or destroy arbitrary system files, due to improper handling of lockfiles by the ipfilter program. Download the new beta version, or apply patch included in advisory.
e8906ca4b706529903dcf7bbaf52d094df40cadaed92a90e4b71368a8167d4d3
Date: Thu, 15 Apr 1999 17:56:02 +0000
From: 0x1c <nick@SHIBUMI.FERALMONKEY.ORG>
To: BUGTRAQ@netspace.org
Subject: FSA-99.04-IPFILTER-v3.2.10
The author (Darren Reed) was notified about this problem early April. I
believe it has been fixed in the latest version.
FERALMONKEY SECURITY ADVISORY - IPFILTER v3.2.10
Title: FSA-99.04-IPFILTER-v3.2.10
Date: April 4th, 1999
Author: garath <garath@feralmonkey.org>
Vendor Notified: Yes
Status: public
Problem Description:
The IPFilter package is a freely distributable TCP/IP packet filter, designed
primarily for use in a firewalled environment. The package includes a series of
kernel additions and modifications, and various applications. A problem exists
in its method of creating files for saving output.
fopen, in ip_fil.c, is used to open the saved output file in an insecure manner:
sprintf(fname, "/tmp/%s", ifp->if_xname);
if ((fp = fopen(fname, "w")))
fclose(fp);
This problem has existed in IPFilter since v3.2.3.
The package comes with the following operating systems:
o OpenBSD
o FreeBSD (post 2.2)
o NetBSD (post 1.2)
and has been tested and run on:
o Solaris/Solaris-x86 2.3 - 2.6
o SunOS 4.1.1 - 4.1.4
o BSD/OS 1.1 - 3.1
o IRIX 6.2
o Linux 2.0.31 - 2.0.35
Impact:
Any user, anticpating priviledged usage of these routines, can create a symbolic link which could effectively clobber arbitrary
system files. Because none of
the commands which use this vulnerable routine are setuid, normal users cannot
create files in system directories.
Environment:
Testing was performed using IPFilter v3.2.10 in OpenBSD 2.5-beta.
Solution:
Do not place lockfiles in /tmp. Each flavor listed above has a specific directory for such files, ie, "/var/run" in FreeBSD,
OpenBSD, and NetBSD. When opening
these files, use open with O_EXCL and fdopen, rather than fopen.
--EOF
Cheers,
Nick
--
Therefore those skilled at the unorthodox are as infinite as heaven and
earth, inexhaustible as the great rivers. -- Sun Tzu, The Art of War
------------------------------------------------------------------------------
Date: Fri, 16 Apr 1999 09:10:18 +1000
From: Darren Reed <avalon@COOMBS.ANU.EDU.AU>
To: BUGTRAQ@netspace.org
Subject: Re: FSA-99.04-IPFILTER-v3.2.10
In some mail from 0x1c, sie said:
>
> The author (Darren Reed) was notified about this problem early April. I
> believe it has been fixed in the latest version.
[...]
> Do not place lockfiles in /tmp. Each flavor listed above has a specific
> directory for such files, ie, "/var/run" in FreeBSD, OpenBSD, and NetBSD.
> When opening
> these files, use open with O_EXCL and fdopen, rather than fopen.
The files which have data written to are not lockfiles so placing them
under /var/run could be considered inappropriate.
For those who actually make use of the feature and/or feel they need a
patch to correctly address this situation (they do testing as root on
systems where unfriendly users are likely to be present and hanging out
waiting for root to possibly do something like this), see below.
Darren
Index: ip_fil.c
===================================================================
RCS file: /devel/CVS/IP-Filter/ip_fil.c,v
retrieving revision 2.0.2.44.2.17
retrieving revision 2.0.2.44.2.18
diff -c -r2.0.2.44.2.17 -r2.0.2.44.2.18
*** ip_fil.c 1999/03/15 11:51:57 2.0.2.44.2.17
--- ip_fil.c 1999/04/11 10:42:36 2.0.2.44.2.18
***************
*** 1126,1147 ****
ip_t *ip;
{
# endif
- FILE *fp;
char fname[32];
# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
(defined(OpenBSD) && (OpenBSD >= 199603))
sprintf(fname, "/tmp/%s", ifp->if_xname);
- if ((fp = fopen(fname, "a"))) {
- fclose(fp);
- }
# else
sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
- if ((fp = fopen(fname, "a"))) {
- fwrite((char *)ip, ntohs(ip->ip_len), 1, fp);
- fclose(fp);
- }
# endif
return 0;
}
--- 1126,1147 ----
ip_t *ip;
{
# endif
char fname[32];
+ int fd;
# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
(defined(OpenBSD) && (OpenBSD >= 199603))
sprintf(fname, "/tmp/%s", ifp->if_xname);
# else
sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
# endif
+ fd = open(fname, O_WRONLY|O_APPEND);
+ if (fd == -1) {
+ perror("open");
+ return -1;
+ }
+ write(fd, (char *)ip, ntohs(ip->ip_len));
+ close(fd);
return 0;
}
***************
*** 1204,1227 ****
void init_ifp()
{
- FILE *fp;
struct ifnet *ifp, **ifa;
char fname[32];
# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
(defined(OpenBSD) && (OpenBSD >= 199603))
for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
ifp->if_output = write_output;
sprintf(fname, "/tmp/%s", ifp->if_xname);
! if ((fp = fopen(fname, "w")))
! fclose(fp);
}
# else
for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
ifp->if_output = write_output;
sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
! if ((fp = fopen(fname, "w")))
! fclose(fp);
}
# endif
}
--- 1204,1234 ----
void init_ifp()
{
struct ifnet *ifp, **ifa;
char fname[32];
+ int fd;
+
# if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199606)) || \
(defined(OpenBSD) && (OpenBSD >= 199603))
for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
ifp->if_output = write_output;
sprintf(fname, "/tmp/%s", ifp->if_xname);
! fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0600);
! if (fd == -1)
! perror("open");
! else
! close(fd);
}
# else
for (ifa = ifneta; ifa && (ifp = *ifa); ifa++) {
ifp->if_output = write_output;
sprintf(fname, "/tmp/%s%d", ifp->if_name, ifp->if_unit);
! fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0600);
! if (fd == -1)
! perror("open");
! else
! close(fd);
}
# endif
}