[Secure-testing-team] Bug#497452: nfdump: vulnerable to symlink attacks
Andreas Putzo
andreas at putzo.net
Mon Sep 1 20:26:47 UTC 2008
Package: nfdump
Version: 1.5.7-4
Severity: grave
Tags: security
Hi,
nfdump in its default installation starts nfcapd as a daemon that
creates a file in /var/tmp/nfcapd.current.<pid> as well as
/var/tmp/nfcapd.<yyyymmddhhmmss>. These files are vulnerable to symlink
attacks which is especially worse because nfcapd runs as root (see
#497446) and thus can overwrite any file on the system.
I think the easiest way would be to fix #497446 and let nfcapd store its
files in /var/lib/nfdump (-l command line switch) or similar instead of
world-writeable /var/tmp.
Note that i only tried to overwrite files with nfcapd.current.<pid> but
i believe the same bug exists for the nfcapd.<date> variant.
Regards,
Andreas
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE at euro, LC_CTYPE=de_DE at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages nfdump depends on:
ii libc6 2.7-10 GNU C Library: Shared libraries
ii librrd4 1.3.1-3 Time-series data storage and displ
ii lsb-base 3.2-12 Linux Standard Base 3.2 init scrip
nfdump recommends no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list