Socks5 symlink bug

Date: Fri, 9 May 1997 11:26:19 -0500
From: Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Bug Serious problem in NEC SOCKS server

The following bug is present at *least* in Socks5 beta-0.17.2 from NEC.  Other
versions haven't been tested, but they are most likely vulnerable as well

>From the manpage:
     SOCKS5_PIDFILE
          Identifies the filename that stores the socks5 process ID when the
          port is a port other than 1080. When you use port 1080, socks5
          stores the PID in /tmp/socks5.pid. When you run socks5 on a port
          other than 1080, socks5 stores the PID in /tmp/socks5.(port).pid
          unless you specify an alternate filename with SOCKS5_PIDFILE.

If /tmp/socks5.pid doesn't exist, it is simply a matter of linking the
password file to /tmp/socks5.pid (or whatever it's called on your system).
When socks starts up, it happily overwirtes the file's previous contents with
the PID of the new socks server.

Workarounds:

* Use mktemp to generate a unique temp file name and redirect socks to that
* The source is available, recompile *without* PID file support
* Create /tmp/socks5.pid (as root) and make sure that ordinary users can't
remove it


____________________________________________________________
"One unerring mark of the love of truth is not entertaining
any propositions with greater assurance than the proofs it
is built upon will warrant" -- John Locke, 1690

Trevor Schroeder                    tschroed@cheetah.wsc.edu
------------------------------------------------------------