Debian Bug report logs - #431332
CVE-2007-2837: Arbitary file removal

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2007-2837: Arbitary file removal

Date: Sun, 1 Jul 2007 19:28:36 +0100

Package: fireflier-server
Version: 1.1.6-3
Severity: grave
Usertags: sourcescan

*** Please type your report below this line ***

  Security issue: CVE-2007-2837.

  The server, fireflierd, runs with root privileges and the code
 contains this gem which I think speaks for itself:

string getRule(unsigned int chainid, int rulenum)
{
   ...

   cmd="rm -f /tmp/fireflier.rules && touch /tmp/fireflier.rules && 
        chmod 0700 /tmp/fireflier.rules && ";
   cmd+=IPTABLES_SAVE;
   cmd+=" > /tmp/fireflier.rules";
   if(DEBUG)
     cout<<"cmd: "<<cmd<<endl;

   system(cmd.c_str());

   ...
}


  This contains several race conditions, and can be trivially exploited to
 remove any file on the server as root.

  For example run this as a user inside GNU screen:
   skx@vain:~$ while true; do ln -s  /etc/passwd  /tmp/fireflier.rules; done

  Wait for a root user to fetch/update/delete a rule using one of the available
 clients, and the /etc/passwd file will be removed.

Steve
--
#  Kink-Friendly Dating
http://ctrl-alt-date.com/

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin MAURER <martinmaurer@gmx.at>

To: Steve Kemp <skx@debian.org>, 431332@bugs.debian.org

Cc: submit@bugs.debian.org

Subject: Re: Bug#431332: CVE-2007-2837: Arbitary file removal

Date: Sun, 01 Jul 2007 21:56:43 +0200

[Message part 1 (text/plain, inline)]

Hi,

I agree that this code could become a problem, although I wasn't able to
reproduce using screen and the command written in your mail.
Anyways - what really might happen is that the file is overwritten, not
deleted, as rm should delete the link not the file the link points to.
Nevertheless, this doesnt make a big difference, so I will add your fix
to the official version of fireflier. 

thanks,
Martin Maurer
(main developer, and original author of that code)

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 431332@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: Martin MAURER <martinmaurer@gmx.at>

Cc: 431332@bugs.debian.org

Subject: Re: Bug#431332: CVE-2007-2837: Arbitary file removal

Date: Sun, 1 Jul 2007 21:24:57 +0100

On Sun Jul 01, 2007 at 21:56:43 +0200, Martin MAURER wrote:

> I agree that this code could become a problem, although I wasn't able to
> reproduce using screen and the command written in your mail.

  I could reproduce this using the -qt version of the client.  First of
 all adding some rules, then bringing up the rule list and removing one
 of them.

> Anyways - what really might happen is that the file is overwritten, not
> deleted, as rm should delete the link not the file the link points to.

  That is generally true.  I'm trying to remember whether it was
 unlinked and I'm 99% certain it was, rather than truncated/trashed.

> Nevertheless, this doesnt make a big difference, so I will add your fix
> to the official version of fireflier. 

  Thanks a lot.

Steve
-- 
# Commercial Debian GNU/Linux Support
http://www.linux-administration.org/

Message #27 received at 431332-done@bugs.debian.org (full text, mbox, reply):

From: Martin MAURER <martinmaurer@gmx.at>

To: 431332-done@bugs.debian.org

Subject: New version in unstable

Date: Sun, 08 Jul 2007 12:42:33 +0200

[Message part 1 (text/plain, inline)]

I uploaded fireflier-1.1.7 to unstable, which fixes this bug by applying
the changes from Steve Kemp to fireflier-1.1.6.
In fireflier-1.1.7 no other changes were done.

thanks,
Martin

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.