request-route script tempfile symlink problem.

Summary
Description:The request-route script which is used with kerneld has a serious symlink /tmp file vulnerability. It always uses /tmp/request-route as its lockfile, so you don't even have to predict anything!
Author:Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
Compromise:It is pretty easy to become root on vulnerable hosts.
Vulnerable Systems:Those linux boxes with kerneld/request-route set up. Redhat 4.1 and 3.0.3 are vulnerable if the sysadmin has installed this.
Date:26 July 1997
Details


Date: Sat, 26 Jul 1997 07:29:28 +0200
From: Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
To: BUGTRAQ@NETSPACE.ORG

                   plaguez security advisory n. 8

                kerneld / request-route vulnerability


Program:  kerneld(1) , the kernel messages daemon handler
          request-route, a sample ppp connection script

Version:  all kerneld/request-route versions

OS:       Linux (tested on 2.0.30/Redhat 4.1 and Redhat 3.0.3)

Problem:  lock files, symlinks

Impact:   when kerneld/request-route are set up,
          any user can overwrite any file on the system.



hello all,

this week, we'll see a weird thing that should have been
removed for years, but that has apparently survived in recent
Linux versions.

kerneld(1) is a daemon that "performs kernel action in user space"
(see man page).
request-route is a shell script that should launch pppd and
allocate a network route 'on-the-fly' when kerneld receives
a 'request-route' kernel message.
It can also be configured to use other network interfaces.

request-route uses a lockfile named /tmp/request-route
where it writes its pid in.
Unfortunatly, request-route does not check wether this
lockfile already exists, will follow symlinks and will
create new files mode 600...

One can then create/write to any file on the affected
system, regardless of permissions.

An attacker would create a symlink from the /tmp/request-route
file to any file on the system. He would then for example
telnet to a host, resulting in a request-route kernel
message. The /sbin/request-route would then be executed
and would overwrite the file at the end of the symlink.


Fix:
----

    rm -rf /sbin/request-route




that's all for this week.

See you later,

-plaguez



------------------------
        plaguez
dube0866@eurobretagne.fr
http://plaguez.innu.org/
        ^^^^^^^^(soon)
------------------------

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault