[Secure-testing-team] Bug#534908: possibly symlink attack due to client-connect script

martin f krafft madduck at debian.org
Sun Jun 28 08:14:31 UTC 2009 

Package: openvpn
Version: 2.1~rc15-1
Severity: important
Tags: security

OpenVPN's --client-connect option is described as follows:

       --client-connect script
              Run script on client connection.  The script is passed  the  common
              name and IP address of the just-authenticated client as environmen-
              tal variables (see  environmental  variable  section  below).   The
              script  is  also passed the pathname of a not-yet-created temporary
              file as $1 (i.e. the first command line argument), to  be  used  by
              the  script  to  pass  dynamically generated config file directives
              back to OpenVPN.

Since the script and it's argument should be visible in the process
table, and client connect scripts might just be simple shell
scripts, it could be possible for an attacker to launch a symlink
attack:

  1. monitor process table for connect script
  2. create symlink, e.g. to overwrite /etc/shadow
  3. watch the connect script clobber /etc/shadow

I don't think this is a big threat, it's a problem that can easily
be solved by using a proper tempfile (and ensuring that it gets
deleted when no longer needed).

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-1-686 (SMP w/1 CPU core)
Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]         1.5.26     Debian configuration management sy
ii  libc6                         2.9-18     GNU C Library: Shared libraries
ii  liblzo2-2                     2.03-1     data compression library
ii  libpam0g                      1.0.1-9    Pluggable Authentication Modules l
ii  libpkcs11-helper1             1.07-1     library that simplifies the intera
ii  libssl0.9.8                   0.9.8k-3   SSL shared libraries
ii  openssl-blacklist             0.5-2      list of blacklisted OpenSSL RSA ke
ii  openvpn-blacklist             0.4        list of blacklisted OpenVPN RSA sh

Versions of packages openvpn recommends:
ii  net-tools                     1.60-23    The NET-3 networking toolkit

Versions of packages openvpn suggests:
ii  openssl                       0.9.8k-3   Secure Socket Layer (SSL) binary a
ii  resolvconf                    1.44       name server information handler

-- debconf information excluded


-- 
 .''`.   martin f. krafft <madduck at d.o>      Related projects:
: :'  :  proud Debian developer               http://debiansystem.info
`. `'`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/)
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090628/0e19f5c1/attachment.pgp>

More information about the Secure-testing-team mailing list