thr3ads.net - Secure testing team - [Secure-testing-team] Bug#601229: unwritable /var/lib/noip2/noip2.conf -> DoS or arbitrary file overwrite [Oct 2010]

If this information is useful, please help other people find it:
Share via:

Jakub Wilk

2010-Oct-24 13:30 UTC

[Secure-testing-team] Bug#601229: unwritable /var/lib/noip2/noip2.conf -> DoS or arbitrary file overwrite

Package: noip2
Version: 2.1.9-3
Severity: important
Tags: security

If:

1. /var/lib/noip2/noip2.conf is not writable by root[0] and

2. /bin/sh points to bash and

3. noip2 hasn''t been started in such a weird configuration (i.e. 
/dev/shm/noip2-readwrite.conf does not exist yet)

a local user can prevent noip2 from starting by making 
/dev/shm/noip2-readwrite.conf a dangling symlink.

Worse still, if POSIXLY_CORRECT was set while running the init script, 
the attacker would be able to overwrite arbitrary files.


[0] Why would anyone want to do that?! Please revert patch for #524020, 
it doesn''t make sense.

-- 
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20101024/bcdcddfd/attachment.pgp>

Secure testing team - Oct 2010 - Bug#601229: unwritable /var/lib/noip2/noip2.conf -> DoS or arbitrary file overwrite

[Secure-testing-team] Bug#601229: unwritable /var/lib/noip2/noip2.conf -> DoS or arbitrary file overwrite