All, We were recently forwarded by OSVDB an anonymous report regarding a potential symlink attack that affected OpenVAS when used in combination with ovaldi. Having analysed the bug as reported I spotted two further potential flaws with the code. One was another potential symlink attack whilst the other related to the dropping of root privileges. A quick analysis and a nasty patch are attached, although I do not expect many users to be affected due to the low use of the ovaldi functionality.
The two symlink attacks relate to the use of static filenames as parameters when executing the ovaldi binary. Whilst the attached patch will cause random filenames to be used, the nature of calling an external binary with filename parameters is always problematic, because of a race condition between time of creation and time of use. The best resolution would be for OpenVAS to work with ovaldi to create a better API for integrating it into the OpenVAS work flow. The third flaw relates to the dropping of privileges. Traditionally, OpenVAS has always run as root with all the potential problems that this entails. With this flaw, OpenVAS does not defensively handle the case where it is unable to become the nobody user which could lead to code continuing to run with root privileges. I'd characterise all three bugs as minor given that however, we should probably review the code concerned and make changes as necessary. For the future, [email protected] has been set up to take future reports of potential advisories and our vendor entry at OSVDB has been updated to that effect. I will be drafting a page for the web site in due course which will set out our process for dealing with new reports and will of course be making this available to the rest of the OpenVAS community in due course. Tim -- Tim Brown <mailto:[email protected]> <http://www.openvas.org/>
Index: oval_plugins.c
===================================================================
--- oval_plugins.c (revision 8727)
+++ oval_plugins.c (working copy)
@@ -136,8 +136,10 @@
* platforms.
*
* TODO: Functionality for dropping privileges has now been added to
- * openvas-libraries, consider using drop_privileges instead.
+ * openvas-libraries, consider using drop_privileges instead. We should also consider
+ * failing if we can't drop privileges.
*
+ *
* @param user_data Pointer to additional data passed by glib; currently unused.
*/
void
@@ -575,8 +577,8 @@
void
ovaldi_launch (struct arglist *g_args)
{
- gchar *sc_filename;
- gchar *results_filename;
+ char *sc_filename;
+ char *results_filename;
FILE *sc_file;
time_t t;
struct tm *tmp;
@@ -590,9 +592,9 @@
strlen ((char *) arg_get_value (g_args, "name")) -
strlen (basename));
- sc_filename = g_strconcat (folder, "sc-out.xml", NULL);
+ sc_filename = tempnam(folder, "sc-out.xml");
log_write ("SC Filename: %s\n", sc_filename);
- results_filename = "/tmp/results.xml";
+ results_filename = tempnam("/tmp", "results.xml");
if (g_file_test (results_filename, G_FILE_TEST_EXISTS))
{
@@ -1078,6 +1080,8 @@
post_note (g_args, 0, result_string);
log_write ("Could not launch ovaldi!\n");
}
+ free(sc_filename);
+ free(results_filename);
g_strfreev (argv);
g_free (result_string);
}
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Openvas-discuss mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
