request-route script tempfile symlink problem.

Description:The request-route script which is used with kerneld has a serious symlink /tmp file vulnerability. It always uses /tmp/request-route as its lockfile, so you don't even have to predict anything!
Author:Nicolas Dubee <dube0866@EUROBRETAGNE.FR>
Compromise:It is pretty easy to become root on vulnerable hosts.
Vulnerable Systems:Those linux boxes with kerneld/request-route set up. Redhat 4.1 and 3.0.3 are vulnerable if the sysadmin has installed this.
Date:26 July 1997

Date: Sat, 26 Jul 1997 07:29:28 +0200
From: Nicolas Dubee <dube0866@EUROBRETAGNE.FR>

                   plaguez security advisory n. 8

                kerneld / request-route vulnerability

Program:  kerneld(1) , the kernel messages daemon handler
          request-route, a sample ppp connection script

Version:  all kerneld/request-route versions

OS:       Linux (tested on 2.0.30/Redhat 4.1 and Redhat 3.0.3)

Problem:  lock files, symlinks

Impact:   when kerneld/request-route are set up,
          any user can overwrite any file on the system.

hello all,

this week, we'll see a weird thing that should have been
removed for years, but that has apparently survived in recent
Linux versions.

kerneld(1) is a daemon that "performs kernel action in user space"
(see man page).
request-route is a shell script that should launch pppd and
allocate a network route 'on-the-fly' when kerneld receives
a 'request-route' kernel message.
It can also be configured to use other network interfaces.

request-route uses a lockfile named /tmp/request-route
where it writes its pid in.
Unfortunatly, request-route does not check wether this
lockfile already exists, will follow symlinks and will
create new files mode 600...

One can then create/write to any file on the affected
system, regardless of permissions.

An attacker would create a symlink from the /tmp/request-route
file to any file on the system. He would then for example
telnet to a host, resulting in a request-route kernel
message. The /sbin/request-route would then be executed
and would overwrite the file at the end of the symlink.


    rm -rf /sbin/request-route

that's all for this week.

See you later,



More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: