xorl %eax, %eax

CVE-2011-1784: Debian World Writable PID files

with 2 comments

Some time ago, ‘helpermn’ reported some world writable files to the debian-security mailing list. More specifically, the following.

/var/run/checkers.pid
/var/run/vrrp.pid
/var/run/keepalived.pid
/var/run/starter.pid
/var/lock/subsys/ipsec

Although this is a very common bug that is fixed by simply updating the equivalent inititialization scripts for each daemon, it opens up a nice security hole. As Henrique de Moraes Holschu (aka hmh) quickly pointed out, due to this bug, any user could replace the PID files and consuquently force the equivalent daemon of each file to send signals to arbitrary processes.

Even though it is not a low level vulnerability it is definately interesting.

Written by xorl

May 28, 2011 at 17:45

Posted in bugs

2 Responses

Subscribe to comments with RSS.

  1. Is this a real issue? There was some discussion in
    Debian-Security regarding this, calling it a dud.

    Below is verbatim the email from Paul Wouters

    “It seems this report got turned into a CVE for Openswan, CVE-2011-2147

    http://www.securityfocus.com/bid/47958/info
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2147

    If debian is still shipping openswan-2.2 unpatched anywhere (released
    January 2005) this could be a problem, albeit an extremely minor
    one compared to the actual two CVE issues that have come up in openswan
    since then. We hope that any openswan-2.2 version that is in active use
    has at least gotten some serious looking at based on the security releases
    that have since been made.

    openswan 2.6.x on debian/ubuntu and fedora/rhel/centos create a read-only
    file in /var/locl/subsys.

    If someone finds an issue that is actually a security issue, and they
    deem it worthy of a CVE release, we strongly encourage those people to
    contact us beforehand so we can do a proper responsible vulnerability
    disclosure. We also strongly recommend that the CVE people at least attempt
    to make an attempt to contact a vendor before releasing vulnerabilities
    to the public. We don’t bite, honest!

    It looks as if someone or some company was in need of reaching their
    CVE quota of the month. It would be a shame if future CVE announcements
    would get ignored because of too many CVE releases on 6 year old software
    releases.

    Paul Wouters”

    thanasisk

    May 31, 2011 at 18:24

  2. Interesting but this is the main reason why I did not publish anything regarding CVE-2011-2147.

    In any case, thanks for the heads up.

    xorl

    May 31, 2011 at 22:33


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s