Bug 868116 - (CVE-2014-2387) VUL-0: CVE-2014-2387: pen: several issues
(CVE-2014-2387)
VUL-0: CVE-2014-2387: pen: several issues
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.1
: P3 - Medium : Enhancement
: ---
Assigned To: Joachim Werner
Security Team bot
https://smash.suse.de/issue/97002/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-13 07:37 UTC by Marcus Meissner
Modified: 2015-02-16 09:19 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-13 07:37:25 UTC
from debian via oss-sec

From: Steve Kemp <steve@steve.org.uk>
Date: Wed, 12 Mar 2014 20:47:48 +0000
Subject: [oss-security] CVE-Request - pen issues

  There are some minor issues reported in the pen-load-balancer,
 which could use CVE Identifiers:

        https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741370

  1.  Insecure use of temporary files when requesting
     websteats:

        } else if (!strcmp(p, "status")) {
                p = webfile;
                webfile = "/tmp/webfile.html";
                webstats();
        ...


   2.  Insecure use of temporary files when invoking
      the penctl command in the supplied CGI script:

PENCTL=penctl
...
        $PENCTL $SERVER:$PORT status 2> /tmp/penctl.cgi
..


    3.  When a control-socket is configured (via "-C ip:port" added
       to the pen command line) a user who can connect to that port
       can overwrite arbitrary files as the user pen is launched as:

shelob ~ $ sudo pen 4444 localhost:9000 -C 127.0.0.1:5043
shelob ~ $ penctl 127.0.0.1:5043 write /tmp/meow
shelob ~ $ penctl 127.0.0.1:5043 write /etc/owned
shelob ~ $ ls -l /etc/owned /tmp/meow
-rw-r--r-- 1 root root 1187 Mar 11 18:35 /etc/owned
-rw-r--r-- 1 root root 1186 Mar 11 18:35 /tmp/meow

  Please feel free to ask for details if they can be helpful,
 versions are unknown, but the current version is v0.18.0

Steve
-- 
http://www.steve.org.uk/


References:
http://comments.gmane.org/gmane.comp.security.oss.general/12351
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741370
Comment 1 Swamp Workflow Management 2014-03-13 23:00:20 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2014-03-14 07:23:42 UTC
From: cve-assign@mitre.org

> webfile = "/tmp/webfile.html";

> 2> /tmp/penctl.cgi

Use CVE-2014-2387 for both issues involving files in the /tmp directory.


>     3.  When a control-socket is configured (via "-C ip:port" added
>        to the pen command line) a user who can connect to that port
>        can

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741370
> 
> there is no documentation implying that using a control-socket is
> dangerous.

> pen.1
> 
> -C \fIport\fR
> Specifies a control port where the load balancer listens for commands.

This seems to be an opportunity for security improvement, not a
vulnerability. It appears that the design goal was to listen for
commands in a way that could be acceptable on a server with
sufficiently restricted access, and not acceptable in arbitrary
environments. "port where the load balancer listens for commands" seems
sufficiently descriptive for a reasonable person to immediately wonder
who can send commands. Furthermore, the example in question:

  sudo pen 4444 localhost:9000 -C 127.0.0.1:5043

suggests that the person is aware that "a control port" means a TCP
port, not some other type of port with obvious permission-based
restrictions. A CVE assignment could be made if there were an
implementation error (e.g., the user specifies listening on 127.0.0.1
but the code actually listens on all interfaces). A CVE assignment
might also be possible for some types of design problems, but they'd
need to be considerably more surprising and the documentation would
need to be considerably more misleading.
Comment 3 Victor Pereira 2015-02-16 09:19:02 UTC
the actual version 0.18, fixed it already. Now the temp files are handled like: /var/run/pen.pid-[Port]