Bug#544390: Security: insufficient authentication

Mon, 31 Aug 2009 00:49:46 -0700 

Package: nut
Version: 2.2.2-6.4
Severity: important

upsd do not check usernames and password when receiving a 'login' command.

$ telnet localhost nut
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
get numlogins ups1
NUMLOGINS ups1 0
username nosuchuser
OK
password nosuchpassword
OK
login ups1
OK
get numlogins ups1
NUMLOGINS ups1 1

(Actually checking the source code I found that daemon never sends
"INVALID-USERNAME"/"INVALID-PASSWORD" error codes to the client.

#define NUT_ERR_INVALID_USERNAME       "INVALID-USERNAME"
#define NUT_ERR_INVALID_PASSWORD       "INVALID-PASSWORD"

Symbols NUT_ERR_INVALID_USERNAME and NUT_ERR_INVALID_PASSWORD are
defined but not used.)

So a malicious user having permission to read UPS variables can block upsd
with a fake login.
According to 'protocol.txt':

| The upsmon master will wait until the count of attached systems reaches
| 1 - itself.  This allows the slaves to shut down first.

So if somebody do a fake login and keeps TCP connection open
the master host could not gracefully shutdown itself in time.

Further investigation in progress.

Gabor

-- System Information:
Debian Release: 5.0.2
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages nut depends on:
ii  adduser                   3.110          add and remove users and groups
ii  debconf                   1.5.24         Debian configuration management sy
ii  libc6                     2.7-18         GNU C Library: Shared libraries
ii  libupsclient1             2.2.2-6.4      Client library for the nut - Netwo
ii  libusb-0.1-4              2:0.1.12-13    userspace USB programming library
ii  lsb-base                  3.2-20         Linux Standard Base 3.2 init scrip
ii  udev                      0.125-7+lenny3 /dev/ and hotplug management daemo

nut recommends no packages.

Versions of packages nut suggests:
pn  nut-cgi                       <none>     (no description available)
pn  nut-dev                       <none>     (no description available)
ii  nut-snmp                      2.2.2-6.4  A meta SNMP Driver subsystem for t
pn  nut-xml                       <none>     (no description available)

-- debconf information:
  nut/major_upstream_changes:



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to