Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1WNq7J-0004Lk-Tq@ssh.steve.org.uk>
Date: Wed, 12 Mar 2014 20:47:48 +0000
From: Steve Kemp <steve@...ve.org.uk>
To: oss-security@...ts.openwall.com
Subject: CVE-Request - pen issues

  There are some minor issues reported in the pen-load-balancer,
 which could use CVE Identifiers:

        https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741370

  1.  Insecure use of temporary files when requesting
     websteats:

        } else if (!strcmp(p, "status")) {
                p = webfile;
                webfile = "/tmp/webfile.html";
                webstats();
        ...


   2.  Insecure use of temporary files when invoking
      the penctl command in the supplied CGI script:

PENCTL=penctl
...
        $PENCTL $SERVER:$PORT status 2> /tmp/penctl.cgi
..


    3.  When a control-socket is configured (via "-C ip:port" added
       to the pen command line) a user who can connect to that port
       can overwrite arbitrary files as the user pen is launched as:

shelob ~ $ sudo pen 4444 localhost:9000 -C 127.0.0.1:5043
shelob ~ $ penctl 127.0.0.1:5043 write /tmp/meow
shelob ~ $ penctl 127.0.0.1:5043 write /etc/owned
shelob ~ $ ls -l /etc/owned /tmp/meow
-rw-r--r-- 1 root root 1187 Mar 11 18:35 /etc/owned
-rw-r--r-- 1 root root 1186 Mar 11 18:35 /tmp/meow

  Please feel free to ask for details if they can be helpful,
 versions are unknown, but the current version is v0.18.0

Steve
-- 
http://www.steve.org.uk/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.