The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
LutelWall Insecure Temporary File Creation
------------------------------------------------------------------------
SUMMARY
" <http://firewall.lutel.pl/index.php> LutelWall is high-level Linux
firewall configuration tool. It uses human-readable and easy to understand
configuration to set up Netfilter in most secure way. Its flexibility
allows firewall administrators build from very simple, single-homed
firewalls, to most complex ones - with multiple subnets, DMZ's and traffic
redirections.
LutelWall firewall stores temporary files in an insecure way, which can be
exploited via symlink attacks to create and overwrite arbitrary files with
the privileges of the user running the affected script.
DETAILS
Vulnerable Systems:
* LutelWall version 0.97 and prior
The exploitation requires that the root try to update the software.
Vulnerable Code:
# Prefix of temporary firewall files
tmp='/tmp/lutelwall'
new_version_check () { # Check for new version of script
if [ "`wget -V 2>&1 >/dev/null`" ]; then
message 3 "Warrning: Wget is required to check for updates."
else
new_ver=`wget -C off -O - -q -t 1 -T 3 -w 3 -U "\`uname -a 2>&1\`"
http://firewall.lutel.pl/ver`
if [ `echo $current_version | gawk '{ gsub("\\\.","") ; print 1$0 }'`
-lt `echo $new_ver | gawk '{ gsub("\\\.","") ; print 1$0 }'` ]; then
echo -e "\nThere is newer version of LutelWall (${new_ver})"
echo -n " Changes since previous version:"
echo `wget -C off -O $tmp-newfeat -q -t 1 -T 3 -w 3
http://firewall.lutel.pl/FEATURES-${new_ver}`
cat $tmp-newfeat
echo "Do you want to update [y/N]? "
read -s -t 5 -n 1 ln
if [ "$ln" = 'y' -o "$ln" = 'Y' ]; then
wget -O $tmp-script -q -T 3 http://firewall.lutel.pl/lutelwall
cat $tmp-script > $0
rm -rf $tmp-script
echo "Your firewall is up to date, exiting after update!"
exit
else
message 5 "Update aborted"
fi
else
message 5 "LutelWall is up-to-date"
fi;
fi;
}
Disclosure Timeline:
* 22.05.05 - Vulnerability discovered
* 22.05.05 - Vendor notified
* 06.06.04 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:exploits@zataz.net> ZATAZ
Audits.
The original article can be found at:
<http://www.zataz.net/adviso/lutelwall-05222005.txt>
http://www.zataz.net/adviso/lutelwall-05222005.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
