[klibc] [oss-security] CVE request: klibc: ipconfig sh script with unescaped DHCP options
dan.j.rosenberg at gmail.com
Wed May 18 13:13:05 PDT 2011
Might it be worth fixing the insecure temporary file usage?
122 snprintf(fn, sizeof(fn), "/tmp/net-%s.conf", dev->name);
123 f = fopen(fn, "w");
What if someone else has already created that file, or put a symlink
or hard link there? What if someone overwrites your string with
command injection characters despite your stripping?
On Wed, May 18, 2011 at 4:44 AM, maximilian attems <max at stro.at> wrote:
> Related to CVE-2011-0997
> ipconfig vulnerability for malicious dhcpd if $DNSDOMAIN is later
> used unquoted, than proof of concept involves
> DNSDOMAIN="\\\"\$(echo owned; touch /tmp/owned)"
> will be part of the just to be released klibc-1.5.22
> klibc mailing list
> klibc at zytor.com
More information about the klibc