[prev in list] [next in list] [prev in thread] [next in thread]
List: openvas-development
Subject: Re: [Openvas-devel] Fwd: openvas 2.x race condition
From: Michael Wiegand <michael.wiegand () greenbone ! net>
Date: 2011-09-12 12:59:07
Message-ID: 20110912125907.GE11956 () intevation ! de
[Download RAW message or body]
Hello,
In SVN revision 11599 I have committed a patch which IMHO addresses both
the issue raised in the f-d mail (results_filename) and the issue raised
by Tim (sc_filename).
The patch changes the behaviour in the following ways:
- Privilege dropping is now done as early as possible in ovaldi_launch
(). If we cannot lose root privileges for whatever reason, we
immediately return.
- After privileges have been dropped, a directory with a random unique
name is created using mkdtemp (). If creating this directory fails, we
immediately return.
- The file containing the system characteristics (sc_filename) is placed
in the directory we created.
- When ovaldi runs, it will place the results in this directory as well
(results_filename).
- When ovaldi has finished, the temporary directory is removed.
@Tim, @Security Experts: Please do read the above and the patch and tell
us if you consider this to be an adequate solution.
I could think of one more change, but with my limited experience in
this are I cannot judge whether it makes sense:
- Make the name of the results and system characteristics file random
inside the randomly name directory, making them even harder to guess.
Would this add security or is the above secure enough?
I'd like to request replies ASAP so we can close this issue. Once we
have agreed on a patch, I will backport the changes to earlier branches.
Regards,
Michael
* Tim Brown [ 6. Sep 2011]:
> This was publicly reported yesterday.
>
> Tim
>
> ---------- Forwarded Message ----------
>
> Subject: openvas 2.x race condition
> Date: Sunday 04 Sep 2011, 23:56:48
> From: Bugs NotHugs <bugsnothugs@gmail.com>
> To: fd <full-disclosure@lists.grok.org.uk>, bugtraq
> <bugtraq@securityfocus.com>, vuldb@securityfocus.com, vuln@secunia.com,
> submissions@packetstormsecurity.org, xforce@iss.net, Vuln@frsirt.com,
> timb@openvas.org
>
> > openvas-server/openvas/oval_plugins.c
> > [...]
> > results_filename = "/tmp/results.xml";
> > if (g_file_test (results_filename, G_FILE_TEST_EXISTS))
> > {
> > log_write ("Found existing results file in %s, deleting it to
> > avoid conflicts.", results_filename);
>
> it unlink /tmp/results.xml avoid symlink attack then spawn process
> that write stuff to /tmp/results.xml
>
> chinese apt can make symlink point to any system file during race and win race!
>
> --
>
> BugsNotHugs
> Shared Vulnerability Disclosure Account
>
> -----------------------------------------
> --
> Tim Brown
> <mailto:timb@openvas.org>
> <http://www.openvas.org/>
> _______________________________________________
> Openvas-devel mailing list
> Openvas-devel@wald.intevation.org
> http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
--
Michael Wiegand | Greenbone Networks GmbH | http://www.greenbone.net/
Neuer Graben 17, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-devel mailing list
Openvas-devel@wald.intevation.org
http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic