Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] GIPTables Firewall <= v1.1 insecure temporary file cre

from [ZATAZ Audits] Network Security [Permanent Link]
Subject: [Full-disclosure] GIPTables Firewall <= v1.1 insecure temporary file creation
Date: Mon, 06 Jun 2005 10:05:01 +0200 
#########################################################

GIPTables Firewall insecure temporary file creation

Vendor: http://www.giptables.org/
Advisory: http://www.zataz.net/adviso/giptables-05222005.txt
Vendor informed: yes
Exploit available: yes
Impact : medium
Exploitation : low

#########################################################

The vulnerability is caused due to temporary file being created insecurely. This can be exploited via symlink attacks in combination with a race condition to create and overwrite arbitrary files with the privileges of the user running the affected script.

It is also possible to cause a Denial of Service by manipulating the
ip adresses present into the temporary file

The exploitation require that the root configure or reconfigure his
firewall rules.

##########
Versions:
##########

GIPTables Firewall <= v1.1

##########
Solution:
##########

non solution yet.

#########
Timeline:
#########

Discovered : 2005-05-22
Vendor notified : 2005-05-22
Vendor response : no response
Vendor fix : no fix
Disclosure : 2005-06-06

#####################
Technical details :
#####################

Vulnerable code :
- - -----------------

# Network Ghouls

[ "$NETWORK_GHOULS" == "yes" ] && \
[ "$DEBUG" = "on" ] && echo -e "\n# Network Ghouls"

if [ "$NETWORK_GHOULS" == "yes" ] && [ -f
"$GIPTABLES_BLOCKED_FILE" ]; then

     deny_file="$GIPTABLES_BLOCKED_FILE"
     temp_file="/tmp/temp.ip.addresses"
     cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" | awk '
$1 ' > $temp_file
     while read ip_addr
     do

         drop_ipaddr interface0_in source $ip_addr && \
         drop_ipaddr interface0_out destination $ip_addr

         [ -n "$INTERFACE1" ] &&  \
         drop_ipaddr interface1_in source $ip_addr && \
         drop_ipaddr interface1_out destination $ip_addr

         [ -n "$INTERFACE1" ] &&  \
         drop_ipaddr network1_in source $ip_addr && \
         drop_ipaddr network1_out destination $ip_addr

     done < $temp_file
     rm -f $temp_file > /dev/null 2>&1
     unset temp_file
     unset deny_file

fi

#########
Related :
#########

nothing related

##############
Possible fix :
##############

deny_file="$GIPTABLES_BLOCKED_FILE"

if mkdir "/tmp/.giptables.$$"; then
        chmod 700 /tmp/.giptables.$$
        temp_file="/tmp/.giptables.$$/temp.ip.addresses"
        else
        echo "$Error: failed to create temporary file" 1>&2
        exit 1
    fi
    temp_file="/tmp/.giptables.$$/temp.ip.addresses"


#####################
Credits :
#####################

Eric Romang (eromang@zataz.net - ZATAZ Audit)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] GIPTables Firewall <= v1.1 insecure temporary file creation, ZATAZ Audits <=
Previous by Date:  [VulnWatch] CastleCops phpBB bbcode Input Validation Disclosure, Paul Laudanski
Next by Date:  [Full-disclosure] everybuddy <= 0.4.3 insecure temporary file creation, Eric Romang / DATACENTER Luxembourg
Previous by Thread:  [VulnWatch] CastleCops phpBB bbcode Input Validation Disclosure, Paul Laudanski
Next by Thread:  [Full-disclosure] everybuddy <= 0.4.3 insecure temporary file creation, Eric Romang / DATACENTER Luxembourg
Indexes:  [Date] [Thread] [Top] [All Lists]