ZATAZ Audits
06/06/05, 23:25
################################################## #######
GIPTables Firewall insecure temporary file creation
Vendor: http://www.giptables.org/
Advisory: http://www.zataz.net/adviso/giptables-05222005.txt
Vendor informed: yes
Exploit available: yes
Impact : medium
Exploitation : low
################################################## #######
The vulnerability is caused due to temporary file being created
insecurely. This can be exploited via symlink attacks in combination
with a race condition to create and overwrite arbitrary files with the
privileges of the user running the affected script.
It is also possible to cause a Denial of Service by manipulating the
ip adresses present into the temporary file
The exploitation require that the root configure or reconfigure his
firewall rules.
##########
Versions:
##########
GIPTables Firewall <= v1.1
##########
Solution:
##########
non solution yet.
#########
Timeline:
#########
Discovered : 2005-05-22
Vendor notified : 2005-05-22
Vendor response : no response
Vendor fix : no fix
Disclosure : 2005-06-06
#####################
Technical details :
#####################
Vulnerable code :
- - -----------------
# Network Ghouls
[ "$NETWORK_GHOULS" == "yes" ] && \
[ "$DEBUG" = "on" ] && echo -e "\n# Network Ghouls"
if [ "$NETWORK_GHOULS" == "yes" ] && [ -f
"$GIPTABLES_BLOCKED_FILE" ]; then
deny_file="$GIPTABLES_BLOCKED_FILE"
temp_file="/tmp/temp.ip.addresses"
cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" | awk '
$1 ' > $temp_file
while read ip_addr
do
drop_ipaddr interface0_in source $ip_addr && \
drop_ipaddr interface0_out destination $ip_addr
[ -n "$INTERFACE1" ] && \
drop_ipaddr interface1_in source $ip_addr && \
drop_ipaddr interface1_out destination $ip_addr
[ -n "$INTERFACE1" ] && \
drop_ipaddr network1_in source $ip_addr && \
drop_ipaddr network1_out destination $ip_addr
done < $temp_file
rm -f $temp_file > /dev/null 2>&1
unset temp_file
unset deny_file
fi
#########
Related :
#########
nothing related
##############
Possible fix :
##############
deny_file="$GIPTABLES_BLOCKED_FILE"
if mkdir "/tmp/.giptables.$$"; then
chmod 700 /tmp/.giptables.$$
temp_file="/tmp/.giptables.$$/temp.ip.addresses"
else
echo "$Error: failed to create temporary file" 1>&2
exit 1
fi
temp_file="/tmp/.giptables.$$/temp.ip.addresses"
#####################
Credits :
#####################
Eric Romang (eromang@zataz.net - ZATAZ Audit)
GIPTables Firewall insecure temporary file creation
Vendor: http://www.giptables.org/
Advisory: http://www.zataz.net/adviso/giptables-05222005.txt
Vendor informed: yes
Exploit available: yes
Impact : medium
Exploitation : low
################################################## #######
The vulnerability is caused due to temporary file being created
insecurely. This can be exploited via symlink attacks in combination
with a race condition to create and overwrite arbitrary files with the
privileges of the user running the affected script.
It is also possible to cause a Denial of Service by manipulating the
ip adresses present into the temporary file
The exploitation require that the root configure or reconfigure his
firewall rules.
##########
Versions:
##########
GIPTables Firewall <= v1.1
##########
Solution:
##########
non solution yet.
#########
Timeline:
#########
Discovered : 2005-05-22
Vendor notified : 2005-05-22
Vendor response : no response
Vendor fix : no fix
Disclosure : 2005-06-06
#####################
Technical details :
#####################
Vulnerable code :
- - -----------------
# Network Ghouls
[ "$NETWORK_GHOULS" == "yes" ] && \
[ "$DEBUG" = "on" ] && echo -e "\n# Network Ghouls"
if [ "$NETWORK_GHOULS" == "yes" ] && [ -f
"$GIPTABLES_BLOCKED_FILE" ]; then
deny_file="$GIPTABLES_BLOCKED_FILE"
temp_file="/tmp/temp.ip.addresses"
cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" | awk '
$1 ' > $temp_file
while read ip_addr
do
drop_ipaddr interface0_in source $ip_addr && \
drop_ipaddr interface0_out destination $ip_addr
[ -n "$INTERFACE1" ] && \
drop_ipaddr interface1_in source $ip_addr && \
drop_ipaddr interface1_out destination $ip_addr
[ -n "$INTERFACE1" ] && \
drop_ipaddr network1_in source $ip_addr && \
drop_ipaddr network1_out destination $ip_addr
done < $temp_file
rm -f $temp_file > /dev/null 2>&1
unset temp_file
unset deny_file
fi
#########
Related :
#########
nothing related
##############
Possible fix :
##############
deny_file="$GIPTABLES_BLOCKED_FILE"
if mkdir "/tmp/.giptables.$$"; then
chmod 700 /tmp/.giptables.$$
temp_file="/tmp/.giptables.$$/temp.ip.addresses"
else
echo "$Error: failed to create temporary file" 1>&2
exit 1
fi
temp_file="/tmp/.giptables.$$/temp.ip.addresses"
#####################
Credits :
#####################
Eric Romang (eromang@zataz.net - ZATAZ Audit)