product: networker 6.0

date: 19.01.2003

author: l0om  <l0om (at) excluded (dot) org [email concealed]>

possible symlink attack in shutdown scribt

the networker is a backup and storeage system from fujitsu siemens.

the shutdown (nsr_shutdown) scribt from networker version 6.0 contains a

the following:

zero_worklist()

{

[...]

rm -f /tmp/nsrsh$$

echo '. type: nsr group' > /tmp/nsrsh$$  # <----------------

echo 'update work list:; completion:' >> /tmp/nsrsh$$

nsradmin ${RESFILE} -i - < /tmp/nsrsh$$ > /dev/null 2>&1

rm -f /tmp/nsrsh$$

}

[...]

as we all know the "$$" is no protection against symlink attacks

a user could creat a symbolic link from /tmp/nsrsh(guessed pid)

to somewhere in the system and could create or overwrite any file

on the system because it must be executed with root priv.

a better handling would be something like:

TMPFILE=/tmp/nsrsh.$RANDOM.$RANDOM.$RANDOM.$RANDOM.$$

echo '. type: nsr group' > $TMPFILE

echo 'update work list:; completion:' >> $TMPFILE

nsradmin ${RESFILE} -i - < $TMPFILE > /dev/null 2>&1

rm -f $TMPFILE

or "mktemp /tmp/phun.XXXXXX"

- have phun

- l0om

- www.excluded.org