[prev in list] [next in list] [prev in thread] [next in thread]
List: openvas-discuss
Subject: [Openvas-discuss] Small symlink vuln in OpenVAS
From: Tim Brown <timb () openvas ! org>
Date: 2010-09-08 18:31:37
Message-ID: 201009081931.47517.timb () openvas ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
All,
We were recently forwarded by OSVDB an anonymous report regarding a potential
symlink attack that affected OpenVAS when used in combination with ovaldi.
Having analysed the bug as reported I spotted two further potential flaws with
the code. One was another potential symlink attack whilst the other related
to the dropping of root privileges. A quick analysis and a nasty patch are
attached, although I do not expect many users to be affected due to the low use
of the ovaldi functionality.
The two symlink attacks relate to the use of static filenames as parameters
when executing the ovaldi binary. Whilst the attached patch will cause random
filenames to be used, the nature of calling an external binary with filename
parameters is always problematic, because of a race condition between time of
creation and time of use. The best resolution would be for OpenVAS to work
with ovaldi to create a better API for integrating it into the OpenVAS work
flow.
The third flaw relates to the dropping of privileges. Traditionally, OpenVAS
has always run as root with all the potential problems that this entails.
With this flaw, OpenVAS does not defensively handle the case where it is unable
to become the nobody user which could lead to code continuing to run with root
privileges.
I'd characterise all three bugs as minor given that however, we should
probably review the code concerned and make changes as necessary.
For the future, security@openvas.org has been set up to take future reports of
potential advisories and our vendor entry at OSVDB has been updated to that
effect. I will be drafting a page for the web site in due course which will
set out our process for dealing with new reports and will of course be making
this available to the rest of the OpenVAS community in due course.
Tim
--
Tim Brown
<mailto:timb@openvas.org>
<http://www.openvas.org/>
["patch.diff" (text/x-patch)]
Index: oval_plugins.c
===================================================================
--- oval_plugins.c (revision 8727)
+++ oval_plugins.c (working copy)
@@ -136,8 +136,10 @@
* platforms.
*
* TODO: Functionality for dropping privileges has now been added to
- * openvas-libraries, consider using drop_privileges instead.
+ * openvas-libraries, consider using drop_privileges instead. We should also consider
+ * failing if we can't drop privileges.
*
+ *
* @param user_data Pointer to additional data passed by glib; currently unused.
*/
void
@@ -575,8 +577,8 @@
void
ovaldi_launch (struct arglist *g_args)
{
- gchar *sc_filename;
- gchar *results_filename;
+ char *sc_filename;
+ char *results_filename;
FILE *sc_file;
time_t t;
struct tm *tmp;
@@ -590,9 +592,9 @@
strlen ((char *) arg_get_value (g_args, "name")) -
strlen (basename));
- sc_filename = g_strconcat (folder, "sc-out.xml", NULL);
+ sc_filename = tempnam(folder, "sc-out.xml");
log_write ("SC Filename: %s\n", sc_filename);
- results_filename = "/tmp/results.xml";
+ results_filename = tempnam("/tmp", "results.xml");
if (g_file_test (results_filename, G_FILE_TEST_EXISTS))
{
@@ -1078,6 +1080,8 @@
post_note (g_args, 0, result_string);
log_write ("Could not launch ovaldi!\n");
}
+ free(sc_filename);
+ free(results_filename);
g_strfreev (argv);
g_free (result_string);
}
["signature.asc" (application/pgp-signature)]
_______________________________________________
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic