Secure testing team - Jun 2009 - Bug#534908: possibly symlink attack due to client-connect script

Package: openvpn
Version: 2.1~rc15-1
Severity: important
Tags: security

OpenVPN''s --client-connect option is described as follows:

       --client-connect script
              Run script on client connection.  The script is passed  the 
common
              name and IP address of the just-authenticated client as
environmen-
              tal variables (see  environmental  variable  section  below).  
The
              script  is  also passed the pathname of a not-yet-created
temporary
              file as $1 (i.e. the first command line argument), to  be  used 
by
              the  script  to  pass  dynamically generated config file
directives
              back to OpenVPN.

Since the script and it''s argument should be visible in the process
table, and client connect scripts might just be simple shell
scripts, it could be possible for an attacker to launch a symlink
attack:

  1. monitor process table for connect script
  2. create symlink, e.g. to overwrite /etc/shadow
  3. watch the connect script clobber /etc/shadow

I don''t think this is a big threat, it''s a problem that can
easily
be solved by using a proper tempfile (and ensuring that it gets
deleted when no longer needed).

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, ''unstable''), (500,
''stable''), (1, ''experimental'')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-1-686 (SMP w/1 CPU core)
Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]         1.5.26     Debian configuration management sy
ii  libc6                         2.9-18     GNU C Library: Shared libraries
ii  liblzo2-2                     2.03-1     data compression library
ii  libpam0g                      1.0.1-9    Pluggable Authentication Modules l
ii  libpkcs11-helper1             1.07-1     library that simplifies the intera
ii  libssl0.9.8                   0.9.8k-3   SSL shared libraries
ii  openssl-blacklist             0.5-2      list of blacklisted OpenSSL RSA ke
ii  openvpn-blacklist             0.4        list of blacklisted OpenVPN RSA sh

Versions of packages openvpn recommends:
ii  net-tools                     1.60-23    The NET-3 networking toolkit

Versions of packages openvpn suggests:
ii  openssl                       0.9.8k-3   Secure Socket Layer (SSL) binary a
ii  resolvconf                    1.44       name server information handler

-- debconf information excluded


-- 
 .''''`.   martin f. krafft <madduck at d.o>      Related
projects:
: :''  :  proud Debian developer               http://debiansystem.info
`. `''`   http://people.debian.org/~madduck    http://vcs-pkg.org
  `-  Debian - when you have better things to do than fixing systems
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/)
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090628/0e19f5c1/attachment.pgp>