Date: Thu, 26 Nov 1998 06:40:21 -0800 From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> To: freebsd-security@FreeBSD.ORG Subject: Bootpd 2.4.3 tmp race Message-ID: <199811261440.GAA03910@cwsys.cwsent.com>
next in thread | raw e-mail | index | archive | help
It appears that our bootpd is vulnerable. I've submitted a PR to document this. For discussion (if anyone wishes to comment). Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC ------- Forwarded Message Return-Path: cschuber@uumail.gov.bc.ca Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.1/8.9.1) id NAA02501 for <cy>; Fri, 13 Nov 1998 13:00:26 -0800 (PST) Resent-Message-Id: <199811132100.NAA02501@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdME2456; Fri Nov 13 12:59:24 1998 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.1/8.9.1) id MAA02448 for <cschuber@passer.osg.gov.bc.ca>; Fri, 13 Nov 1998 12:59:23 -0800 (PST) Received: from point.osg.gov.bc.ca(142.32.102.44) via SMTP by passer.osg.gov.bc.ca, id smtpdZq2426; Fri Nov 13 12:58:42 1998 Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.9.1/8.8.8) id MAA20980 for <cschuber@UUMAIL.GOV.BC.CA>; Fri, 13 Nov 1998 12:58:35 -0800 Received: from brimstone.netspace.org(128.148.157.143) via SMTP by point.osg.gov.bc.ca, id smtpda20975; Fri Nov 13 12:58:19 1998 Received: from netspace.org ([128.148.157.6]:63038 "EHLO netspace.org" ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id <73867-26951>; Fri, 13 Nov 1998 12:26:46 -0500 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with spool id 4903751 for BUGTRAQ@NETSPACE.ORG; Fri, 13 Nov 1998 12:19:20 -0500 Approved-By: aleph1@DFW.NET Received: from freak.conectiva.com.br (animaniacs.conectiva.com.br [200.203.180.2]) by netspace.org (8.8.7/8.8.7) with ESMTP id PAA14599 for <bugtraq@netspace.org>; Thu, 12 Nov 1998 15:40:55 -0500 Received: from localhost (marcelo@localhost) by freak.conectiva.com.br (8.9.1a/8.9.1) with ESMTP id GAA04837; Thu, 12 Nov 1998 06:13:03 -0200 X-Authentication-Warning: freak.conectiva.com.br: marcelo owned process doing -bs MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.LNX.4.04.9811120612060.4817-100000@freak.conectiva.com .br> Date: Thu, 12 Nov 1998 06:13:03 -0200 Reply-To: Marcelo Tosatti <marcelo@CONECTIVA.COM.BR> Sender: Bugtraq List <BUGTRAQ@netspace.org> From: Marcelo Tosatti <marcelo@CONECTIVA.COM.BR> Subject: Bootpd 2.4.3 tmp race X-cc: wanderlei@conectiva.com.br To: BUGTRAQ@netspace.org Resent-To: cy Resent-Date: Fri, 13 Nov 1998 12:59:24 -0800 Resent-From: Cy Schubert <cschuber@uumail.gov.bc.ca> Sorry if this is already known. I found a tmp race in bootpd 2.4.3. If the user do not specify a file to dump the database, bootpd will try to dump it in /tmp/bootpd.dump. Here goes the fix : diff -Nur bootp-2.4.3.orig/bootpd.c bootp-2.4.3/bootpd.c - --- bootp-2.4.3.orig/bootpd.c Mon Mar 27 18:38:35 1995 +++ bootp-2.4.3/bootpd.c Thu Nov 12 05:57:39 1998 @@ -91,11 +91,9 @@ #ifndef CONFIG_FILE #define CONFIG_FILE "/etc/bootptab" #endif - -#qifndef DUMPTAB_FILE - -#define DUMPTAB_FILE "/tmp/bootpd.dump" - -#endif - - +char DUMPTAB_FILE [] = "/tmp/bootpd.dump.XXXXXX"; + /* * Externals, forward declarations, and global variables @@ -369,7 +367,8 @@ if (argc > 1) bootpd_dump = argv[1]; - - + else + mktemp(DUMPTAB_FILE); /* * Get my hostname and IP address. */ Marcelo Tosatti Conectiva Internet Solutions ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811261440.GAA03910>