thr3ads.net - Secure testing team - [Secure-testing-team] Bug#683998: munin: allows creation of sockets at arbitrary locations (/tmp file vulnerability) [Aug 2012]

If this information is useful, please help other people find it:
Share via:

Helmut Grohne

2012-Aug-06 07:06 UTC

[Secure-testing-team] Bug#683998: munin: allows creation of sockets at arbitrary locations (/tmp file vulnerability)

Package: munin
Version: 1.4.5-3
Severity: serious
Tags: security

I wondered where a socket /tmp/munin-master-processmanager-12345.sock
would come from and whether it was created in a secure way. In the
presence of this bug report you may have guessed, that it is not. The
corresponding code can be found in
/usr/share/perl5/Munin/Master/ProcessManager.pm. Apparently rundir is
set to /tmp and the _prepare_unix_socket subroutine happily unlink(2)s
that path and creates a socket. So via a simple race condition (use
inotify!) we can place a symbolic link at the desired location and make
munin place a socket at an arbitrary location. It should also be
possible to turn this into a local denial of service by pointing to a
non-existent directory. Please evaluate the impact of this issue and
downgrade the severity accordingly. Fixing this issue should be easy
changing the default for rundir.

Helmut

Secure testing team - Aug 2012 - Bug#683998: munin: allows creation of sockets at arbitrary locations (/tmp file vulnerability)

[Secure-testing-team] Bug#683998: munin: allows creation of sockets at arbitrary locations (/tmp file vulnerability)