-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ######################################################### net-snmp fixproc insecure temporary file creation Vendor: http://www.net-snmp.org Advisory: http://www.zataz.net/adviso/net-snmp-05182005.txt Vendor informed: yes Exploit available:no Impact : low Exploitation : low ######################################################### net-snmp fixproc contain a security flaw how could allow a malicious local attacker to execute arbitrary commands with root privileges. ########## Versions: ########## net-snmp <= 5.2.1 ########## Solution: ########## Depends the linux distribution you use, some are patched, some not, the vendor is looking on a official patch. ######### Timeline: ######### Discovered : 2005-05-07 Vendor notified : 2005-05-17 Vendor response : 2005-05-23 Vendor fix : no date Disclosure : 2005-05-23 ##################### Technical details : ##################### Just take a look at /usr/bin/fixproc Line 233 : # it must be "shell", so execute the shell script defined in database local ($tmpfile) = "/tmp/fix_$$"; &create_sh_script ($fix{$proc}, $tmpfile); # return code is number divided by 256 $error_code = (system "$tmpfile") / 256; - ----------------------------------------- We see that the tmp file is created with $$ value and this script is execute by the perl system command The subfunction do only this : - ------------------------------------- sub create_sh_script { local ($file) = pop (@_); local ($i) = pop (@_); printf (stderr "create_sh_script\n") if ($debug > 0); $! = $fixproc_error; open (file, ">"."$file") || die "$0: cannot open $file\n"; while ( $shell_lines[$i] ne $shell_end_marker ) { printf (file "%s", $shell_lines[$i]); $i++; } close (file); system "chmod +x $file"; return file; } - ---------------------------------- The same for the fonction do_check() ######## Notice : ######## Take a look on this : http://rpmfind.net/linux/RPM/suse/9.1/i386/suse/i586/net- snmp-5.1-80.i586.html * Tue Mar 16 2004 - ro@suse.de - use mktemp in fixproc (#36103) ######### Related : ######### http://sourceforge.net/tracker/index.php? func=detail&aid=1203376&group_id=12694&atid=112694 http://bugs.gentoo.org/show_bug.cgi?id=91792 ######### Credits : ######### Eric Romang (eromang@zataz.net - ZATAZ Audit) Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, tigger, etc.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCkkQzXXuxWE8lDAcRAhPZAJwNgzs0jacMumLmV6XPgGoy9nXHEgCeMLBx YZA5wA+dnE9/7QrHPIENyRY= =624Z -----END PGP SIGNATURE-----