#1362 net-snmp fixproc insecure temporary file creation

[eromang]

Hello,

My name is Eric Romang from ZATAZ.net (eromang@zataz.net)

Just take a look at /usr/bin/fixproc

Line 233 :

# it must be "shell", so execute the shell script
defined in database

local ($tmpfile) = "/tmp/fix_$$";

&create_sh_script ($fix{$proc}, $tmpfile);

# return code is number divided by 256
$error_code = (system "$tmpfile") / 256;

-----------------------------------------

We see that the tmp file is created with $$ value and
this script is execute by the perl system command

The subfunction do only this :

-------------------------------------

sub create_sh_script
{
local ($file) = pop (@_);
local ($i) = pop (@_);

printf (stderr "create_sh_script\n") if ($debug > 0);

$! = $fixproc_error;
open (file, ">"."$file") || die "$0: cannot open
$file\n";
while ( $shell_lines[$i] ne $shell_end_marker )
{
printf (file "%s", $shell_lines[$i]);
$i++;
}
close (file);
system "chmod +x $file";
return file;
}

----------------------------------------

My knowledge in perl is not so good, but maybe a race
condition could be exploited here, and permit to a
basic user to run arbitrairie commands on the system
with root privileges ?

The same for :

sub do_check
{
local ($proc) = pop(@_);

printf (stderr "do_check\n") if ($debug > 0);

if ($check{$proc} eq '')
{
$! = $fixproc_error;
die "$0: internal error 2\n";
}

if ($check{$proc} ne 'exist')
{
# if not "exist", then it must be "shell", so
execute the shell script
# defined in database

  local \($tmpfile\) = "/tmp/check\_$$";

  &create\_sh\_script \($check\{$proc\}, $tmpfile\);

    \# return code is number divided by 256
  $error\_code = \(system "$tmpfile"\) / 256;
  system "rm $tmpfile";
  return \($check\_failed\_error\) if \($error\_code \!= 0\);

  \# check passed, continue
\}

return &do_exist ($proc);
}

Regards?

[Thomas Anders]

Logged In: YES
user_id=848638

Indeed, using "$$" smells a lot like insecure temporary file
handling. We should really consider using safer approaches
like described in e.g.

http://www.opennet.ru/base/audit/18.txt.html

Do we consider this a show-stopper for 5.0.10? I'd vote to
fix this *before* release.

[Thomas Anders]

Logged In: YES
user_id=848638

Here's a proposed patch against CVS MAIN, utilizing
mktemp(1), taken from the SuSE Linux 9.3 RPM (net-snmp 5.2.1).

- --- snip ---
--- /bc/net-snmp-5.3cvs/bin/fixproc 2005-05-20
14:44:30.000000000 +0200
+++ /usr/bin/fixproc 2005-03-19 21:16:16.000000000 +0100
@@ -231,7 +231,7 @@
{
# it must be "shell", so execute the shell script
defined in database

- local ($tmpfile) = "/tmp/fix_$$";
+ local ($tmpfile) = `mktemp /tmp/fix.XXXXXXXX`;

   &create\_sh\_script \($fix\{$proc\}, $tmpfile\);

@@ -262,7 +262,7 @@
# if not "exist", then it must be "shell", so execute
the shell script
# defined in database

- local ($tmpfile) = "/tmp/check_$$";
+ local ($tmpfile) = `mktemp /tmp/check.XXXXXXXX`;

   &create\_sh\_script \($check\{$proc\}, $tmpfile\);

- --- snap ---

[Thomas Anders]

Logged In: YES
user_id=848638

Wes has committed a fix (using File::Temp) to all 5.x.y
branches. This bug can be closed now.

[Nobody/Anonymous]

IdCUzx wtqfqhgvemka, [url=http://hqdlwijhdovd.com/]hqdlwijhdovd[/url], [link=http://aljvjbjcpruz.com/]aljvjbjcpruz[/link], http://aqaozjueqtsi.com/

[Nobody/Anonymous]

5yyKDw qtrvplgvuigy, [url=http://ammuztiymkgb.com/]ammuztiymkgb[/url], [link=http://dailhxaxznyz.com/]dailhxaxznyz[/link], http://aopcackqigxj.com/