Package: nut Version: 2.2.2-6.4 Severity: important upsd do not check usernames and password when receiving a 'login' command.
$ telnet localhost nut Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. get numlogins ups1 NUMLOGINS ups1 0 username nosuchuser OK password nosuchpassword OK login ups1 OK get numlogins ups1 NUMLOGINS ups1 1 (Actually checking the source code I found that daemon never sends "INVALID-USERNAME"/"INVALID-PASSWORD" error codes to the client. #define NUT_ERR_INVALID_USERNAME "INVALID-USERNAME" #define NUT_ERR_INVALID_PASSWORD "INVALID-PASSWORD" Symbols NUT_ERR_INVALID_USERNAME and NUT_ERR_INVALID_PASSWORD are defined but not used.) So a malicious user having permission to read UPS variables can block upsd with a fake login. According to 'protocol.txt': | The upsmon master will wait until the count of attached systems reaches | 1 - itself. This allows the slaves to shut down first. So if somebody do a fake login and keeps TCP connection open the master host could not gracefully shutdown itself in time. Further investigation in progress. Gabor -- System Information: Debian Release: 5.0.2 APT prefers proposed-updates APT policy: (500, 'proposed-updates'), (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages nut depends on: ii adduser 3.110 add and remove users and groups ii debconf 1.5.24 Debian configuration management sy ii libc6 2.7-18 GNU C Library: Shared libraries ii libupsclient1 2.2.2-6.4 Client library for the nut - Netwo ii libusb-0.1-4 2:0.1.12-13 userspace USB programming library ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii udev 0.125-7+lenny3 /dev/ and hotplug management daemo nut recommends no packages. Versions of packages nut suggests: pn nut-cgi <none> (no description available) pn nut-dev <none> (no description available) ii nut-snmp 2.2.2-6.4 A meta SNMP Driver subsystem for t pn nut-xml <none> (no description available) -- debconf information: nut/major_upstream_changes: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org