Ethereal: [ethereal-dev] Security race in ethereal leading to root access

Ethereal-dev: July 1999

Subject: [ethereal-dev] Security race in ethereal leading to root access
From: Richard Sharpe <sharpe@xxxxxxxxxx>
Date: Fri, 30 Jul 1999 23:38:02 +0900

Hi,

I was talking with Andrew Tridgell last night about Ethereal, and he likes
it.  However, while we were looking at something we found what looks like
an exploitable race in Ethereal.

Capture.c calls tempnam to create a temporary name for the capture file,
and this seems to call pcap_dump_file or some other routine to open the file.

An strace shows the following:

   open ("/tmp/ether00688aaa", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 9

That is, it is not opened with O_EXCL, which means some who is creating
links with the correct pattern has a possibility to create a link to
/etc/passwd between when we create the name and open the file ...

Does anyone know how to fix this?  Perhaps we should call mkstemp and pass
a file descriptor to pcap instead?


Regards
-------
Richard Sharpe, sharpe@xxxxxxxxxx, NS Computer Software and Services P/L,
Samba (Team member www.samba.org), Ethereal (Team member www.zing.org)
Co-author, SAMS Teach Yourself Samba in 24 Hours

Prev by Date: [ethereal-dev] New "File/Print" menu item
Next by Date: [ethereal-dev] --with-libpcap option to configure, or --with-include fixed
Previous by thread: Re: [ethereal-dev] New "File/Print" menu item
Next by thread: Re: [ethereal-dev] Security race in ethereal leading to root access
Index(es):
- Date
- Thread