tags 496410 security thanks On 13:15 Sun 24 Aug , Steve Langasek wrote: SL> severity 496410 important SL> thanks
You are mistake :) Your script places in /usr/sbin, ie it runs with root privs. If I create symlink /etc/shadow -> /tmp/eglog and You start this script, then your system 'll damaged. Please, check it again :) (and please, revert severity level) SL> On Sun, Aug 24, 2008 at 10:05:29PM +0400, Dmitry E. Oboukhov wrote: SL>> Package: cman SL>> Severity: grave SL>> Binary-package: cman (2.20080629-1) SL>> file: /usr/sbin/fence_egenera SL> The broken usage is: SL> local *egen_log; SL> open(egen_log,">/tmp/eglog"); SL> [...] SL> print egen_log "shutdown: $trys $status\n"; SL> [...] SL> print egen_log "shutdown: crash dump being performed. Waiting\n"; SL> [...] SL> print egen_log "shutdown: $cmd being called, before open3\n"; SL> [...] SL> print egen_log "shutdown: after calling open3\n"; SL> [...] SL> print egen_log "shutdown: Open3 result: ", @outlines, "\n"; SL> [...] SL> print egen_log "shutdown: Returning from pserver_shutdown with return code $rtrn\n"; SL> This is, of course, wrong, and subject to symlink attack. However, I don't SL> see any way that this can be exploitable for privilege escalation, which is SL> the standard for 'grave' severity security bugs: it doesn't allow arbitrary SL> output to the file, only a finite set of strings which are not valid shell, SL> cron entries, password/shadow entries, or any other config file that I know SL> of. SL> So at best this appears to be a DoS symlink attack; therefore downgrading. -- . ''`. Dmitry E. Oboukhov : :’ : [EMAIL PROTECTED] `. `~’ GPGKey: 1024D / F8E26537 2006-11-21 `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
signature.asc
Description: Digital signature
