Socks5 symlink bug

Summary
Description:Just do a standard symlink to /tmp/socks5.pid and connect() to port 1080.
Author:Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
Compromise:obtain access of the owner of the socks daemon (probably nobody or daemon).
Vulnerable Systems:Systems running Socks5 beta-0.17.2 from NEC and probably earlier versions.
Date:9 May 1997
Details


Date: Fri, 9 May 1997 11:26:19 -0500
From: Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Bug Serious problem in NEC SOCKS server

The following bug is present at *least* in Socks5 beta-0.17.2 from NEC.  Other
versions haven't been tested, but they are most likely vulnerable as well

>From the manpage:
     SOCKS5_PIDFILE
          Identifies the filename that stores the socks5 process ID when the
          port is a port other than 1080. When you use port 1080, socks5
          stores the PID in /tmp/socks5.pid. When you run socks5 on a port
          other than 1080, socks5 stores the PID in /tmp/socks5.(port).pid
          unless you specify an alternate filename with SOCKS5_PIDFILE.

If /tmp/socks5.pid doesn't exist, it is simply a matter of linking the
password file to /tmp/socks5.pid (or whatever it's called on your system).
When socks starts up, it happily overwirtes the file's previous contents with
the PID of the new socks server.

Workarounds:

* Use mktemp to generate a unique temp file name and redirect socks to that
* The source is available, recompile *without* PID file support
* Create /tmp/socks5.pid (as root) and make sure that ordinary users can't
remove it


____________________________________________________________
"One unerring mark of the love of truth is not entertaining
any propositions with greater assurance than the proofs it
is built upon will warrant" -- John Locke, 1690

Trevor Schroeder                    tschroed@cheetah.wsc.edu
------------------------------------------------------------

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault