ISC inn creates temporary files insecurely

Overview

inn, a network news agent, may be configured on some operating systems to use a publically-writeable directory for its temporary files. This may be exploited to gain access to the news account.

Description

inn is distributed on a variety of Linux platforms. The program is written under the assumption that the directory in which it stores temporary files is a private directory. On some platforms, it may be configured to create temporary files in /tmp or /var/tmp, both of which are world-writeable directories. This may leave inn subject to modification of files either by symbolic links, or by direct modification of the temporary files.

---

Impact

By creating a symbolic link named for the temporary file and pointed toward an inn configuration file, an attacker may cause modification of these files (or any other file writable by the news user). Should the attacker manage to control the content of these files, it may be possible to gain access to the news account.

---

Solution

Apply vendor patches; see the Systems Affected section below.

---

Reconfigure inn to use a non-world-writable temporary directory.

---

Vendor Information

964488

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Caldera __ Affected

Notified: January 11, 2001 Updated: August 17, 2001

Status

Affected

Vendor Statement

<http://www.linuxsecurity.com/advisories/caldera_advisory-1057.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23964488 Feedback>).

Debian __ Affected

Notified: January 29, 2001 Updated: August 17, 2001

Status

Affected

Vendor Statement

<http://www.linuxsecurity.com/advisories/debian_advisory-1098.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23964488 Feedback>).

ISC __ Affected

Notified: January 16, 2001 Updated: August 17, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

It's recently come to our attention that some repackagers of INN have mistakenly shipped INN packages configured to use the system temporary directory (either /tmp or /var/tmp) for create temporary files. INN expects its configured temporary directory to only be writeable by the news user and does not take sufficient precautions when creating temporary files to be able to use world-writeable temporary directories. This configuration could be exploited to gain access to the news account.

This was partly a configuration error and partly a documentation problem. This issue should have been much more clearly pointed out in the installation documentation (fixed in the current version of INN).
If you are using a pre-compiled version of INN, please check the configuration in inn.conf and make sure that pathtmp points to a directory that is not world-writeable. If it does point to a world-writeable directory, create a new directory owned by the news user and only writeable by that user, change pathtmp in inn.conf to point to that directory, and restart INN (with rc.news stop; rc.news start).
If you package INN as part of a distribution, please make sure that INN is configured to use a private temporary directory. If you configure INN with --prefix=/usr, you will need to use --with-tmp-path to ensure that the temporary directory is not set to /usr/tmp.
As of INN 2.3.1, which was released on 2001-01-11, INN will warn loudly at configure time if the configured temporary directory is world-writeable. There is also additional documentation of this issue in INSTALL.
There is work underway both to make FHS-compliance a standard configure option so that these sorts of problems can be caught and solved in one place and to make INN more robust against use of a world-writeable temporary directory. We will always strongly recommend, however, that INN be configured to use a private temporary directory, since getting all of the details of safe temporary file handling right in a portable manner is difficult and there's no reason not to use a private directory.
Thanks to Greg KH and Steve Beattie at WireX for bringing this to our attention.
Russ Allbery Katsuhiro Kondou [email protected]

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23964488 Feedback>).

Immunix __ Affected

Notified: January 10, 2001 Updated: August 17, 2001

Status

Affected

Vendor Statement

Immunix advisory IMNX-2000-70-023-01 (see below).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

----------------------------------------------------------------------

Packages updated:inn Effected products:Immunix OS 7.0-beta Bugs Fixed:immunix/1315 Date:January 10, 2000 Advisory ID:IMNX-2000-70-023-01 Author:Greg Kroah-Hartman <[email protected]> -----------------------------------------------------------------------

Description: In an internal audit conducted while preparing Immunix Linux 7.0 we noticed a potential temp file race problem in the inn program. This is partly due to the way that the inn program is compiled and set up on Immunix Linux, and partly due to the lack of information in the inn program detailing potential security problems if you do not tell inn to use a private temporary directory. We have applied a patch that creates temporary files safely for inn, AND moved all temp file creation by inn into it's own private directory which should solve this problem.
Packages have been created and released for Immunix 7.0 beta to fix this problem.
Package names and locations: Precompiled binary packages for Immunix 7.0 beta is available at: ``<http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/inews-2.2.3-3_StackGuard_3.i386.rpm>`` ``<http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/inn-2.2.3-3_StackGuard_3.i386.rpm>`` ``<http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/inn-devel-2.2.3-3_StackGuard_3.i386.rpm>``
Source package for Immunix 7.0 beta is available at: ``<http://www.immunix.org/ImmunixOS/7.0-beta/updates/SRPMS/inn-2.2.3-3_StackGuard_3.src.rpm>``
md5sums of the packages: ead2af814ce19919c1b9f3a5cb6db853 inews-2.2.3-3_StackGuard_3.i386.rpm feea622aca6a5b217e42f11df025fa90 inn-2.2.3-3_StackGuard_3.i386.rpm 0fe0bad19dcde112b83e803023b85c9f inn-devel-2.2.3-3_StackGuard_3.i386.rpm 25676fde907a0b71f665512bdf1b2aa8 inn-2.2.3-3_StackGuard_3.src.rpm

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23964488 Feedback>).

MandrakeSoft __ Affected

Notified: January 10, 2001 Updated: August 17, 2001

Status

Affected

Vendor Statement

<http://www.linuxsecurity.com/advisories/mandrake_advisory-1038.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23964488 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.securityfocus.com/bid/2190&gt;
• <http://www.linuxsecurity.com/advisories/debian_advisory-1098.html&gt;
• <http://www.linuxsecurity.com/advisories/caldera_advisory-1057.html&gt;
• <http://www.linuxsecurity.com/advisories/mandrake_advisory-1038.html&gt;

Acknowledgements

This vulnerability was first described by Greg Kroah-Hartman.

This document was last modified by Tim Shimeall.

Other Information

CVE IDs:	CVE-2001-0139
Severity Metric:	5.40 Date Public: