From owner-freebsd-security  Thu Nov 26 06:41:23 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA04650
          for freebsd-security-outgoing; Thu, 26 Nov 1998 06:41:23 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA04645
          for <freebsd-security@freebsd.org>; Thu, 26 Nov 1998 06:41:22 -0800 (PST)
          (envelope-from cy@cschuber.net.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.9.1/8.8.8) id GAA24772
	for <freebsd-security@freebsd.org>; Thu, 26 Nov 1998 06:41:17 -0800
Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com"
 via SMTP by point.osg.gov.bc.ca, id smtpda24770; Thu Nov 26 06:40:57 1998
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.9.1/8.9.1) id GAA03910
	for <freebsd-security@freebsd.org>; Thu, 26 Nov 1998 06:40:27 -0800 (PST)
Message-Id: <199811261440.GAA03910@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdPt3906; Thu Nov 26 06:40:23 1998
X-Mailer: exmh version 2.0.2 2/24/98
Reply-to: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
X-Sender: cy
To: freebsd-security@FreeBSD.ORG
Subject: Bootpd 2.4.3 tmp race
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 26 Nov 1998 06:40:21 -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

It appears that our bootpd is vulnerable.  I've submitted a PR to 
document this.

For discussion (if anyone wishes to comment).


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Open Systems Group          Internet:  cschuber@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Government of BC            


------- Forwarded Message

Return-Path: cschuber@uumail.gov.bc.ca
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.9.1/8.9.1) id NAA02501
	for <cy>; Fri, 13 Nov 1998 13:00:26 -0800 (PST)
Resent-Message-Id: <199811132100.NAA02501@passer.osg.gov.bc.ca>
Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be 
"passer.osg.gov.bc.ca"
 via SMTP by localhost.osg.gov.bc.ca, id smtpdME2456; Fri Nov 13 
12:59:24 1998
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.9.1/8.9.1) id MAA02448
	for <cschuber@passer.osg.gov.bc.ca>; Fri, 13 Nov 1998 12:59:23 -0800 
(PST)
Received: from point.osg.gov.bc.ca(142.32.102.44)
 via SMTP by passer.osg.gov.bc.ca, id smtpdZq2426; Fri Nov 13 12:58:42 
1998
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.9.1/8.8.8) id MAA20980
	for <cschuber@UUMAIL.GOV.BC.CA>; Fri, 13 Nov 1998 12:58:35 -0800
Received: from brimstone.netspace.org(128.148.157.143)
 via SMTP by point.osg.gov.bc.ca, id smtpda20975; Fri Nov 13 12:58:19 
1998
Received: from netspace.org ([128.148.157.6]:63038 "EHLO netspace.org" 
ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id 
<73867-26951>; Fri, 13 Nov 1998 12:26:46 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 
1.8c) with
          spool id 4903751 for BUGTRAQ@NETSPACE.ORG; Fri, 13 Nov 1998 
12:19:20
          -0500
Approved-By: aleph1@DFW.NET
Received: from freak.conectiva.com.br (animaniacs.conectiva.com.br
          [200.203.180.2]) by netspace.org (8.8.7/8.8.7) with ESMTP id 
PAA14599
          for <bugtraq@netspace.org>; Thu, 12 Nov 1998 15:40:55 -0500
Received: from localhost (marcelo@localhost) by freak.conectiva.com.br
          (8.9.1a/8.9.1) with ESMTP id GAA04837; Thu, 12 Nov 1998 
06:13:03 -0200
X-Authentication-Warning: freak.conectiva.com.br: marcelo owned process 
doing
                         -bs
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.04.9811120612060.4817-100000@freak.conectiva.com
.br>
Date: Thu, 12 Nov 1998 06:13:03 -0200
Reply-To: Marcelo Tosatti <marcelo@CONECTIVA.COM.BR>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Marcelo Tosatti <marcelo@CONECTIVA.COM.BR>
Subject: Bootpd 2.4.3 tmp race
X-cc: wanderlei@conectiva.com.br
To: BUGTRAQ@netspace.org
Resent-To: cy
Resent-Date: Fri, 13 Nov 1998 12:59:24 -0800
Resent-From: Cy Schubert <cschuber@uumail.gov.bc.ca>

Sorry if this is already known.
I found a tmp race in bootpd 2.4.3.
If the user do not specify a file to dump the database, bootpd will try 
to
dump it in /tmp/bootpd.dump.
Here goes the fix :

diff -Nur bootp-2.4.3.orig/bootpd.c bootp-2.4.3/bootpd.c
- --- bootp-2.4.3.orig/bootpd.c   Mon Mar 27 18:38:35 1995
+++ bootp-2.4.3/bootpd.c        Thu Nov 12 05:57:39 1998
@@ -91,11 +91,9 @@

 #ifndef CONFIG_FILE
 #define CONFIG_FILE            "/etc/bootptab"
 #endif
- -#qifndef DUMPTAB_FILE
- -#define DUMPTAB_FILE           "/tmp/bootpd.dump"
- -#endif

- -
+char DUMPTAB_FILE [] = "/tmp/bootpd.dump.XXXXXX";
+

 /*
  * Externals, forward declarations, and global variables
@@ -369,7 +367,8 @@

        if (argc > 1)
                bootpd_dump = argv[1];
- -
+       else
+               mktemp(DUMPTAB_FILE);
        /*
         * Get my hostname and IP address.
         */


Marcelo Tosatti
Conectiva Internet Solutions

------- End of Forwarded Message




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message