Bugzilla – Bug 868116
VUL-0: CVE-2014-2387: pen: several issues
Last modified: 2015-02-16 09:19:02 UTC
from debian via oss-sec From: Steve Kemp <steve@steve.org.uk> Date: Wed, 12 Mar 2014 20:47:48 +0000 Subject: [oss-security] CVE-Request - pen issues There are some minor issues reported in the pen-load-balancer, which could use CVE Identifiers: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741370 1. Insecure use of temporary files when requesting websteats: } else if (!strcmp(p, "status")) { p = webfile; webfile = "/tmp/webfile.html"; webstats(); ... 2. Insecure use of temporary files when invoking the penctl command in the supplied CGI script: PENCTL=penctl ... $PENCTL $SERVER:$PORT status 2> /tmp/penctl.cgi .. 3. When a control-socket is configured (via "-C ip:port" added to the pen command line) a user who can connect to that port can overwrite arbitrary files as the user pen is launched as: shelob ~ $ sudo pen 4444 localhost:9000 -C 127.0.0.1:5043 shelob ~ $ penctl 127.0.0.1:5043 write /tmp/meow shelob ~ $ penctl 127.0.0.1:5043 write /etc/owned shelob ~ $ ls -l /etc/owned /tmp/meow -rw-r--r-- 1 root root 1187 Mar 11 18:35 /etc/owned -rw-r--r-- 1 root root 1186 Mar 11 18:35 /tmp/meow Please feel free to ask for details if they can be helpful, versions are unknown, but the current version is v0.18.0 Steve -- http://www.steve.org.uk/ References: http://comments.gmane.org/gmane.comp.security.oss.general/12351 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741370
bugbot adjusting priority
From: cve-assign@mitre.org > webfile = "/tmp/webfile.html"; > 2> /tmp/penctl.cgi Use CVE-2014-2387 for both issues involving files in the /tmp directory. > 3. When a control-socket is configured (via "-C ip:port" added > to the pen command line) a user who can connect to that port > can > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741370 > > there is no documentation implying that using a control-socket is > dangerous. > pen.1 > > -C \fIport\fR > Specifies a control port where the load balancer listens for commands. This seems to be an opportunity for security improvement, not a vulnerability. It appears that the design goal was to listen for commands in a way that could be acceptable on a server with sufficiently restricted access, and not acceptable in arbitrary environments. "port where the load balancer listens for commands" seems sufficiently descriptive for a reasonable person to immediately wonder who can send commands. Furthermore, the example in question: sudo pen 4444 localhost:9000 -C 127.0.0.1:5043 suggests that the person is aware that "a control port" means a TCP port, not some other type of port with obvious permission-based restrictions. A CVE assignment could be made if there were an implementation error (e.g., the user specifies listening on 127.0.0.1 but the code actually listens on all interfaces). A CVE assignment might also be possible for some types of design problems, but they'd need to be considerably more surprising and the documentation would need to be considerably more misleading.
the actual version 0.18, fixed it already. Now the temp files are handled like: /var/run/pen.pid-[Port]