The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[UNIX] GIPTables Firewall Race Condition


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 6 Jun 2005 11:47:32 +0200
Subject: [UNIX] GIPTables Firewall Race Condition
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050606093059.3728E57F5@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  GIPTables Firewall Race Condition
------------------------------------------------------------------------


SUMMARY

" <http://www.giptables.org/>; GIPTables Firewall is a free set of shell 
scripts that helps you generate iptables rules for Linux 2.4.x and newer 
kernels. It is very easy to configure and at present, designed to run on 
hosts with one or two network cards. It doesn't require you to install any 
additional components to make it work with your GNU/Linux system. All you 
need to set-up a very secure firewall for your GNU/Linux machines is 
iptables and GIPTables Firewall."

GIPTables Firewall does not use a random naming convention for its 
temporary file creation, this allows attackers to cause a race condition 
vulnerability.

DETAILS

Vulnerable Systems:
 * GIPTables Firewall version 1.1 and prior

The vulnerability is caused due to temporary file being created 
insecurely. This can be exploited via symbolic link to create and 
overwrite arbitrary files with the privileges of the user running the 
affected script.

It is also possible to cause a denial of service by manipulating the IP 
addresses present inside the temporary file

The exploitation require that the root configure or reconfigure his 
firewall rules.

Code Snips:
# Network Ghouls

[ "$NETWORK_GHOULS" == "yes" ] && \
[ "$DEBUG" = "on" ] && echo -e "\n# Network Ghouls"

if [ "$NETWORK_GHOULS" == "yes" ] && [ -f
"$GIPTABLES_BLOCKED_FILE" ]; then

      deny_file="$GIPTABLES_BLOCKED_FILE"
      temp_file="/tmp/temp.ip.addresses"
      cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" | awk '
$1 ' > $temp_file
      while read ip_addr
      do

          drop_ipaddr interface0_in source $ip_addr && \
          drop_ipaddr interface0_out destination $ip_addr

          [ -n "$INTERFACE1" ] &&  \
          drop_ipaddr interface1_in source $ip_addr && \
          drop_ipaddr interface1_out destination $ip_addr

          [ -n "$INTERFACE1" ] &&  \
          drop_ipaddr network1_in source $ip_addr && \
          drop_ipaddr network1_out destination $ip_addr

      done < $temp_file
      rm -f $temp_file > /dev/null 2>&1
      unset temp_file
      unset deny_file


fi


ADDITIONAL INFORMATION

The information has been provided by  <mailto:exploits@zataz.net.> ZATAZ 
Audits.
The original article can be found at:  
<http://www.zataz.net/adviso/giptables-05222005.txt>; 
http://www.zataz.net/adviso/giptables-05222005.txt




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру