######################################################### heartbeat multiples insecure temporary files creations Vendor: http://www.linux-ha.org Advisory: http://www.zataz.net/adviso/heartbeat-06272005.txt Vendor informed: yes Exploit available: yes Impact : low Exploitation : low ######################################################### The vulnerability is caused due to temporary file being created insecurely. This can be exploited via symlink attacks in combination to create and overwrite arbitrary files with the privileges of the user running the affected script. ########## Versions: ########## heartbeat <= 1.2.3 ########## Solution: ########## To prevent symlink attack use kernel patch such as grsecurity ######### Timeline: ######### Discovered : 2005-06-27 Vendor notified : 2005-07-12 Vendor response : Vendor fix : Vendor Sec report (vendor-sec@lst.de) : Disclosure : ##################### Technical details : ##################### Vulnerable code : ----------------- Look at : cts/CTStests.py.in -> insecure temp file handling 873 fstmpfile = "/tmp/band_estimate" 874 dumpcmd = "tcpdump -p -n -c 102 -i any udp port %d > %s 2>&1" \ 875 % (port, fstmpfile); cts/CTStests.py.in -> second order symlink attack 1076 self.CM.rsh(node,"cp /proc/drbd /tmp >/dev/null 2>&1") 1077 if self.CM.rsh.cp("%s:/tmp/drbd" % node,"/tmp"): 1078 line = open("/tmp/drbd").readlines()[2] cts/CTStests.py.in -> second order symlink attack via scp 1113 if self.CM.rsh(node,self.CM["DRBDCheckconf"])==0: 1114 self.CM.rsh.cp("%s:/tmp/drbdconf" % node, "/tmp") 1115 lines=open("/tmp/drbdconf","r") Also in : heartbeat/lib/BasicSanityCheck.in -> second order again 46 LOGFILE=/tmp/linux-ha.testlog This file contain a lot off actions on the insecure tmp file. Also in : lib/stonith/meatclient.c 58 const char * meatpipe_pr = "/tmp/.meatware"; 101 snprintf(meatpipe, 256, "%s.%s", meatpipe_pr, opthost); ######### Related : ######### Bug report : http://bugs.gentoo.org/show_bug.cgi?id=97175 CVE : ##################### Credits : ##################### Eric Romang (eromang@zataz.net - ZATAZ Audit) Thxs to Gentoo Security Team. (Taviso, jaervosz, solar, Koon, etc.)