Networker 6.0 - possible symlink attack

2007.11.08
Credit: Rene
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-59


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

product: networker 6.0 date: 19.01.2003 author: l0om <l0om (at) excluded (dot) org [email concealed]> possible symlink attack in shutdown scribt the networker is a backup and storeage system from fujitsu siemens. the shutdown (nsr_shutdown) scribt from networker version 6.0 contains a the following: zero_worklist() { [...] rm -f /tmp/nsrsh$$ echo '. type: nsr group' > /tmp/nsrsh$$ # <---------------- echo 'update work list:; completion:' >> /tmp/nsrsh$$ nsradmin ${RESFILE} -i - < /tmp/nsrsh$$ > /dev/null 2>&1 rm -f /tmp/nsrsh$$ } [...] as we all know the "$$" is no protection against symlink attacks a user could creat a symbolic link from /tmp/nsrsh(guessed pid) to somewhere in the system and could create or overwrite any file on the system because it must be executed with root priv. a better handling would be something like: TMPFILE=/tmp/nsrsh.$RANDOM.$RANDOM.$RANDOM.$RANDOM.$$ echo '. type: nsr group' > $TMPFILE echo 'update work list:; completion:' >> $TMPFILE nsradmin ${RESFILE} -i - < $TMPFILE > /dev/null 2>&1 rm -f $TMPFILE or "mktemp /tmp/phun.XXXXXX" - have phun - l0om - www.excluded.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top