Javier Fernández-Sanguino Peña has discovered an exploitable vulnerability in the way that Shorewall handles temporary files and directories. The vulnerability can allow a non-root user to cause arbitrary files on the system to be overwritten. LEAF Bering and Bering uClibc users are generally not at risk due to the fact that LEAF boxes do not typically allow logins by non-root users. For 2.0 users, the problem is corrected in version 2.0.3a: http://shorewall.net/pub/shorewall/shorewall-2.0.3a ftp://shorewall.net/pub/shorewall/shorewall-2.0.3a For 1.4 users, the correct version is: http://shorewall.net/pub/shorewall/shorewall-1.4.10f ftp://shorewall.net/pub/shorewall/shorewall-1.4.10f I would appreciate immediate feedback on the 1.4.10f version; given that I don''t have any 1.4 systems remaining, I couldn''t fully test that code. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 2004.06.28 13:02:24, Tom Eastep wrote:> Javier Fernndez-Sanguino Pea has discovered an exploitable vulnerability in > the way that Shorewall handles temporary files and directories. The > vulnerability can allow a non-root user to cause arbitrary files on the system > to be overwritten. LEAF Bering and Bering uClibc users are generally not at > risk due to the fact that LEAF boxes do not typically allow logins by non-root > users.Do you know which versions of shorewall are affected? (Or just all known versions, but patches are only available for 1.4 and 2.0 because that''s all that''s supported?) -- Dark "open foot, insert mouth" R. "Perl is a scripting language with bizarre syntax and an alarming propensity to give special meanings to every symbol in the ASCII character set." --John Cambra, Apple engineer
On Mon, 28 Jun 2004, Dark Ryder wrote:> On 2004.06.28 13:02:24, Tom Eastep wrote: > > Javier Fernndez-Sanguino Pea has discovered an exploitable vulnerability in > > the way that Shorewall handles temporary files and directories. The > > vulnerability can allow a non-root user to cause arbitrary files on the system > > to be overwritten. LEAF Bering and Bering uClibc users are generally not at > > risk due to the fact that LEAF boxes do not typically allow logins by non-root > > users. > > Do you know which versions of shorewall are affected? (Or just all known > versions, but patches are only available for 1.4 and 2.0 because that''s all > that''s supported?) > >Virtually all 1.4 and 2.0 versions of Shorewall are vulnerable. Given that I don''t have the cycles to correct all of them, I''m making fixes available for the latest versions in each major release. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
At 02:02 PM 6/28/2004, Tom Eastep wrote:>Javier Fernández-Sanguino Peña has discovered an exploitable vulnerability >in the way that Shorewall handles temporary files and directories. The >vulnerability can allow a non-root user to cause arbitrary files on the >system to be overwritten. LEAF Bering and Bering uClibc users are >generally not at risk due to the fact that LEAF boxes do not typically >allow logins by non-root users.I interpret from this text that this vulnerability is *not* exploitable remotely, i.e. from outside the box. Is that correct? Thanks, -- Rodolfo J. Paiz rpaiz@simpaticus.com http://www.simpaticus.com
Rodolfo J. Paiz wrote:> At 02:02 PM 6/28/2004, Tom Eastep wrote: > >> Javier Fernández-Sanguino Peña has discovered an exploitable >> vulnerability in the way that Shorewall handles temporary files and >> directories. The vulnerability can allow a non-root user to cause >> arbitrary files on the system to be overwritten. LEAF Bering and >> Bering uClibc users are generally not at risk due to the fact that >> LEAF boxes do not typically allow logins by non-root users. > > > I interpret from this text that this vulnerability is *not* exploitable > remotely, i.e. from outside the box. Is that correct? >That is correct -- it is only exploitable locally. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> > For 2.0 users, the problem is corrected in version 2.0.3a: > > http://shorewall.net/pub/shorewall/shorewall-2.0.3a > ftp://shorewall.net/pub/shorewall/shorewall-2.0.3aupgraded my fedora core 1 system using the tgz following INSTALL instructions. [root@gw shorewall]# uname -a Linux gw.supremeit.com 2.4.22-1.2174.nptl #1 Wed Feb 18 16:38:32 EST 2004 i686 i686 i386 GNU/Linux on start I get: [root@gw shorewall]# /sbin/shorewall start Loading /usr/share/shorewall/functions... <snip> Processing /usr/share/shorewall/action.DropUPnP... Rule "DROP - - udp 1900" added. WARNING: "dropNonSyn" has been replaced by "dropNotSyn" Processing /usr/share/shorewall/action.DropDNSrep... <snip> The following seems to fix it: [root@gw shorewall]# pwd /usr/share/shorewall [root@gw shorewall]# diff action.Drop-2.0.3a action.Drop 13c13 < dropNonSyn --- > dropNotSyn [root@gw shorewall]# diff action.Reject-2.0.3a action.Reject 13c13 < dropNonSyn --- > dropNotSyn Regards Andrew Braund
Andrew Braund wrote:>> >> For 2.0 users, the problem is corrected in version 2.0.3a: >> >> http://shorewall.net/pub/shorewall/shorewall-2.0.3a >> ftp://shorewall.net/pub/shorewall/shorewall-2.0.3a > > > upgraded my fedora core 1 system using the tgz following INSTALL > instructions. > [root@gw shorewall]# uname -a > Linux gw.supremeit.com 2.4.22-1.2174.nptl #1 Wed Feb 18 16:38:32 EST > 2004 i686 i686 i386 GNU/Linux > > on start I get: > > [root@gw shorewall]# /sbin/shorewall start > Loading /usr/share/shorewall/functions... > <snip> > Processing /usr/share/shorewall/action.DropUPnP... > Rule "DROP - - udp 1900" added. > WARNING: "dropNonSyn" has been replaced by "dropNotSyn" > Processing /usr/share/shorewall/action.DropDNSrep... > <snip>Please check the release notes -- that warning is expected if you have made local copies of the Reject and/or Drop actions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net