OpenLDAP /usr/tmp/ Symlink Vulnerability
BID:1232
Info
OpenLDAP /usr/tmp/ Symlink Vulnerability
| Bugtraq ID: | 1232 |
| Class: | Race Condition Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 21 2000 12:00AM |
| Updated: | Apr 21 2000 12:00AM |
| Credit: | This vulnerability was posted to the Bugtraq mailing list on April 22, 2000 in a RedHat Security Advisory. |
| Vulnerable: |
Turbolinux Turbolinux 6.0.2 Turbolinux Turbolinux 4.4 Turbolinux Turbolinux 4.2 Redhat openldap-1.2.9-5.i386.rpm Redhat openldap-1.2.7-2.i386.rpm Redhat Linux 6.2 sparc Redhat Linux 6.2 i386 Redhat Linux 6.2 alpha Redhat Linux 6.1 sparc Redhat Linux 6.1 i386 Redhat Linux 6.1 alpha OpenLDAP OpenLDAP 1.2.10 OpenLDAP OpenLDAP 1.2.9 OpenLDAP OpenLDAP 1.2.8 OpenLDAP OpenLDAP 1.2.7 Mandriva Linux Mandrake 7.0 Mandriva Linux Mandrake 6.1 |
| Not Vulnerable: | |
Discussion
OpenLDAP /usr/tmp/ Symlink Vulnerability
A vulnerability exists in OpenLDAP as shipped with some versions of Linux, including RedHat 6.1 and 6.2, and TurboLinux 6.0.2 and earlier. OpenLDAP will create files in /usr/tmp, which is actually a symbolic link to the world writable /tmp directory. As OpenLDAP does not check for a files existence prior to opening the files in /usr/tmp, it is possible for an attacker to point an appropriately named symbolic link at any file on the filesystem, and cause it to be destroyed.
This vulnerability will also affect any Unix system with OpenLDAP assuming the following criteria is true:
1) slapd.conf configures the "directory" variable to be /usr/tmp
2) /usr/tmp is a world writable directory.
3) slurpd was built with the DEFAULT_SLURPD_REPLICA_DIR set to /usr/tmp
A vulnerability exists in OpenLDAP as shipped with some versions of Linux, including RedHat 6.1 and 6.2, and TurboLinux 6.0.2 and earlier. OpenLDAP will create files in /usr/tmp, which is actually a symbolic link to the world writable /tmp directory. As OpenLDAP does not check for a files existence prior to opening the files in /usr/tmp, it is possible for an attacker to point an appropriately named symbolic link at any file on the filesystem, and cause it to be destroyed.
This vulnerability will also affect any Unix system with OpenLDAP assuming the following criteria is true:
1) slapd.conf configures the "directory" variable to be /usr/tmp
2) /usr/tmp is a world writable directory.
3) slurpd was built with the DEFAULT_SLURPD_REPLICA_DIR set to /usr/tmp
Exploit / POC
OpenLDAP /usr/tmp/ Symlink Vulnerability
ln -sf /etc/passwd /usr/tmp/NEXTID
ln -sf /etc/passwd /usr/tmp/NEXTID
Solution / Fix
OpenLDAP /usr/tmp/ Symlink Vulnerability
Solution:
Patches are available from RedHat and TurboLinux to remedy this problem.
Rebuilding OpenLDAP, and configuring the following values to something other than /usr/tmp will fix this problem:
servers/slapd/back-ldbm/back-ldbm.g, "DEFAULT_DB_DIRECTORY" variable
servers/slapd/slapd.conf, "directory" variable
servers/slurpd/slurp.h, "DEFAULT_SLURPD_REPLICA_DIR" variable
The latest version, 1.2.10, still appears vulnerable to this problem.
Redhat openldap-1.2.7-2.i386.rpm
Redhat openldap-1.2.9-5.i386.rpm
Turbolinux Turbolinux 6.0.2
Mandriva Linux Mandrake 6.1
Redhat Linux 6.1 i386
Redhat Linux 6.1 sparc
Redhat Linux 6.1 alpha
Redhat Linux 6.2 sparc
Redhat Linux 6.2 alpha
Redhat Linux 6.2 i386
Mandriva Linux Mandrake 7.0
Solution:
Patches are available from RedHat and TurboLinux to remedy this problem.
Rebuilding OpenLDAP, and configuring the following values to something other than /usr/tmp will fix this problem:
servers/slapd/back-ldbm/back-ldbm.g, "DEFAULT_DB_DIRECTORY" variable
servers/slapd/slapd.conf, "directory" variable
servers/slurpd/slurp.h, "DEFAULT_SLURPD_REPLICA_DIR" variable
The latest version, 1.2.10, still appears vulnerable to this problem.
Redhat openldap-1.2.7-2.i386.rpm
-
Red Hat Inc. 6.1 i386 openldap-1.2.9-6.i386.rpm
ftp://updates.redhat.com/6.1/i386/openldap-1.2.9-6.i386.rpm
Redhat openldap-1.2.9-5.i386.rpm
-
Red Hat Inc. 6.2 i386 openldap-1.2.9-6.i386.rpm
ftp://updates.redhat.com/6.2/i386/openldap-1.2.9-6.i386.rpm
Turbolinux Turbolinux 6.0.2
-
TurboLinux openldap-1.2.10-1.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/openldap-1.2.10-1.i3 86.rpm -
TurboLinux openldap-devel-1.2.10-1.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/openldap-devel-1.2.1 0-1.i386.rpm -
TurboLinux openldap-libs-1.2.10-1.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/openldap-libs-1.2.10 -1.i386.rpm -
TurboLinux openldap-server-1.2.10-1.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/openldap-server-1.2. 10-1.i386.rpm
Mandriva Linux Mandrake 6.1
-
MandrakeSoft 7.0 i386 openldap-1.2.9-5mdk.i586.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates /
Redhat Linux 6.1 i386
-
Red Hat Inc. 6.1 i386 openldap-1.2.9-6.i386.rpm
ftp://updates.redhat.com/6.1/i386/openldap-1.2.9-6.i386.rpm
Redhat Linux 6.1 sparc
-
Red Hat Inc. 6.1 sparc openldap-1.2.9-6.sparc.rpm
ftp://updates.redhat.com/6.1/sparc/openldap-1.2.9-6.sparc.rpm
Redhat Linux 6.1 alpha
-
Red Hat Inc. 6.1 alpha openldap-1.2.9-6.alpha.rpm
ftp://updates.redhat.com/6.1/alpha/openldap-1.2.9-6.alpha.rpm
Redhat Linux 6.2 sparc
-
Red Hat Inc. 6.2 sparc openldap-1.2.9-6.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/openldap-1.2.9-6.sparc.rpm
Redhat Linux 6.2 alpha
-
Red Hat Inc. 6.2 alpha openldap-1.2.9-6.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/openldap-1.2.9-6.alpha.rpm
Redhat Linux 6.2 i386
-
Red Hat Inc. 6.2 i386 openldap-1.2.9-6.i386.rpm
ftp://updates.redhat.com/6.2/i386/openldap-1.2.9-6.i386.rpm
Mandriva Linux Mandrake 7.0
-
MandrakeSoft 7.0 i386 openldap-1.2.9-5mdk.i586.rpm
ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates /
References
OpenLDAP /usr/tmp/ Symlink Vulnerability
References:
References: