Ethereal-dev: [ethereal-dev] Security race in ethereal leading to root access

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Richard Sharpe <sharpe@xxxxxxxxxx>
Date: Fri, 30 Jul 1999 23:38:02 +0900
Hi,

I was talking with Andrew Tridgell last night about Ethereal, and he likes
it.  However, while we were looking at something we found what looks like
an exploitable race in Ethereal.

Capture.c calls tempnam to create a temporary name for the capture file,
and this seems to call pcap_dump_file or some other routine to open the file.

An strace shows the following:

   open ("/tmp/ether00688aaa", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 9

That is, it is not opened with O_EXCL, which means some who is creating
links with the correct pattern has a possibility to create a link to
/etc/passwd between when we create the name and open the file ...

Does anyone know how to fix this?  Perhaps we should call mkstemp and pass
a file descriptor to pcap instead?


Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx, NS Computer Software and Services P/L,
Samba (Team member www.samba.org), Ethereal (Team member www.zing.org)
Co-author, SAMS Teach Yourself Samba in 24 Hours