Socks5 symlink bug

Description:Just do a standard symlink to /tmp/ and connect() to port 1080.
Author:Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
Compromise:obtain access of the owner of the socks daemon (probably nobody or daemon).
Vulnerable Systems:Systems running Socks5 beta-0.17.2 from NEC and probably earlier versions.
Date:9 May 1997

Date: Fri, 9 May 1997 11:26:19 -0500
From: Trevor Schroeder <tschroed@CHEETAH.WSC.EDU>
Subject: Bug Serious problem in NEC SOCKS server

The following bug is present at *least* in Socks5 beta-0.17.2 from NEC.  Other
versions haven't been tested, but they are most likely vulnerable as well

>From the manpage:
          Identifies the filename that stores the socks5 process ID when the
          port is a port other than 1080. When you use port 1080, socks5
          stores the PID in /tmp/ When you run socks5 on a port
          other than 1080, socks5 stores the PID in /tmp/socks5.(port).pid
          unless you specify an alternate filename with SOCKS5_PIDFILE.

If /tmp/ doesn't exist, it is simply a matter of linking the
password file to /tmp/ (or whatever it's called on your system).
When socks starts up, it happily overwirtes the file's previous contents with
the PID of the new socks server.


* Use mktemp to generate a unique temp file name and redirect socks to that
* The source is available, recompile *without* PID file support
* Create /tmp/ (as root) and make sure that ordinary users can't
remove it

"One unerring mark of the love of truth is not entertaining
any propositions with greater assurance than the proofs it
is built upon will warrant" -- John Locke, 1690

Trevor Schroeder          

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: