Date: Thu, 26 Nov 1998 06:40:21 -0800 From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> To: freebsd-security@FreeBSD.ORG Subject: Bootpd 2.4.3 tmp race Message-ID: <199811261440.GAA03910@cwsys.cwsent.com>
next in thread | raw e-mail | index | archive | help
It appears that our bootpd is vulnerable. I've submitted a PR to
document this.
For discussion (if anyone wishes to comment).
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Open Systems Group Internet: cschuber@uumail.gov.bc.ca
ITSD Cy.Schubert@gems8.gov.bc.ca
Government of BC
------- Forwarded Message
Return-Path: cschuber@uumail.gov.bc.ca
Received: (from uucp@localhost)
by passer.osg.gov.bc.ca (8.9.1/8.9.1) id NAA02501
for <cy>; Fri, 13 Nov 1998 13:00:26 -0800 (PST)
Resent-Message-Id: <199811132100.NAA02501@passer.osg.gov.bc.ca>
Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be
"passer.osg.gov.bc.ca"
via SMTP by localhost.osg.gov.bc.ca, id smtpdME2456; Fri Nov 13
12:59:24 1998
Received: (from uucp@localhost)
by passer.osg.gov.bc.ca (8.9.1/8.9.1) id MAA02448
for <cschuber@passer.osg.gov.bc.ca>; Fri, 13 Nov 1998 12:59:23 -0800
(PST)
Received: from point.osg.gov.bc.ca(142.32.102.44)
via SMTP by passer.osg.gov.bc.ca, id smtpdZq2426; Fri Nov 13 12:58:42
1998
Received: (from daemon@localhost)
by point.osg.gov.bc.ca (8.9.1/8.8.8) id MAA20980
for <cschuber@UUMAIL.GOV.BC.CA>; Fri, 13 Nov 1998 12:58:35 -0800
Received: from brimstone.netspace.org(128.148.157.143)
via SMTP by point.osg.gov.bc.ca, id smtpda20975; Fri Nov 13 12:58:19
1998
Received: from netspace.org ([128.148.157.6]:63038 "EHLO netspace.org"
ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id
<73867-26951>; Fri, 13 Nov 1998 12:26:46 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release
1.8c) with
spool id 4903751 for BUGTRAQ@NETSPACE.ORG; Fri, 13 Nov 1998
12:19:20
-0500
Approved-By: aleph1@DFW.NET
Received: from freak.conectiva.com.br (animaniacs.conectiva.com.br
[200.203.180.2]) by netspace.org (8.8.7/8.8.7) with ESMTP id
PAA14599
for <bugtraq@netspace.org>; Thu, 12 Nov 1998 15:40:55 -0500
Received: from localhost (marcelo@localhost) by freak.conectiva.com.br
(8.9.1a/8.9.1) with ESMTP id GAA04837; Thu, 12 Nov 1998
06:13:03 -0200
X-Authentication-Warning: freak.conectiva.com.br: marcelo owned process
doing
-bs
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.04.9811120612060.4817-100000@freak.conectiva.com
.br>
Date: Thu, 12 Nov 1998 06:13:03 -0200
Reply-To: Marcelo Tosatti <marcelo@CONECTIVA.COM.BR>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Marcelo Tosatti <marcelo@CONECTIVA.COM.BR>
Subject: Bootpd 2.4.3 tmp race
X-cc: wanderlei@conectiva.com.br
To: BUGTRAQ@netspace.org
Resent-To: cy
Resent-Date: Fri, 13 Nov 1998 12:59:24 -0800
Resent-From: Cy Schubert <cschuber@uumail.gov.bc.ca>
Sorry if this is already known.
I found a tmp race in bootpd 2.4.3.
If the user do not specify a file to dump the database, bootpd will try
to
dump it in /tmp/bootpd.dump.
Here goes the fix :
diff -Nur bootp-2.4.3.orig/bootpd.c bootp-2.4.3/bootpd.c
- --- bootp-2.4.3.orig/bootpd.c Mon Mar 27 18:38:35 1995
+++ bootp-2.4.3/bootpd.c Thu Nov 12 05:57:39 1998
@@ -91,11 +91,9 @@
#ifndef CONFIG_FILE
#define CONFIG_FILE "/etc/bootptab"
#endif
- -#qifndef DUMPTAB_FILE
- -#define DUMPTAB_FILE "/tmp/bootpd.dump"
- -#endif
- -
+char DUMPTAB_FILE [] = "/tmp/bootpd.dump.XXXXXX";
+
/*
* Externals, forward declarations, and global variables
@@ -369,7 +367,8 @@
if (argc > 1)
bootpd_dump = argv[1];
- -
+ else
+ mktemp(DUMPTAB_FILE);
/*
* Get my hostname and IP address.
*/
Marcelo Tosatti
Conectiva Internet Solutions
------- End of Forwarded Message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811261440.GAA03910>