Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Conectiva CLA-2003:723: openslp temp file creation vulnerability

Conectiva CLA-2003:723: openslp temp file creation vulnerability

by Nikola Strahija on August 18th, 2003 A vulnerability has been found in the initscript used to control the openslp daemon. Since the script is usually called by the root user, an attacker could exploit this vulnerability to at least reset the content of any file in the system as soon as the "start" action is called.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE : openslp
SUMMARY : Temporary file creation vulnerability
DATE : 2003-08-18 18:49:00
ID : CLA-2003:723
RELEVANT
RELEASES : 9

- -------------------------------------------------------------------------

DESCRIPTION
OpenSLP[1] is an implementation of the "Service Location Protocol
V2", an IETF standards track protocol that provides a framework to
allow networking applications to discover the existence, location,
and configuration of networked services in enterprise networks.

There is a symbolic link vulnerability[2] in the initscript used to
control the openslp daemon. The initscript (/etc/rc.d/init.d/slpd)
uses '/tmp/route.check' as a temporarily file in an unsafe manner.

Since the script is usually called by the root user (to start/stop
the service), an attacker could exploit this vulnerability to at
least "reset" the content of any file in the system as soon as the
"start" action is called. As a standard symlink vulnerabilty, all the
attacker needs is to create a /tmp/route.check symbolic link pointing
to the target file.

This update fixes the problem by using a different initscript that
does not use a temporary file. It is important to note that this
update brings the latest stable release of openslp: 1.0.11, which
contains several other fixes and improvements[3].


SOLUTION
All OpenSLP users should upgrade.


REFERENCES:
1.http://www.openslp.org
2.http://www.securityfocus.com/archive/1/333823
3.http://sourceforge.net/project/showfiles.php?group_id=1730


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/9/RPMS/openslp-1.0.11-27287U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openslp-devel-1.0.11-27287U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/openslp-1.0.11-27287U90_1cl.src.rpm


ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: [email protected]
unsubscribe: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/QUpn42jd0JmAcZARAppdAJ9ai2lX0yiwg2V3eSzjFuCUqm1RngCbBiAE
jMiOnOGTiX8lOaPD/maP0xE=
=S9AD
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »