Patrick Matthäi wrote:
> In the case of geoip it is just a data file (like a .svg etc) with no
> attacking vector. The attacker could only inject a corrupted database
> and geoip will throw errors/false positions.
>
> Is this realy a vector for it?
>
I think it there is an attack vector for it.
What the example update scripts (debian/scripts/geolite*.sh) in the geoip
package do is basically:
wget
http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
| gunzip
Anyone who has access to the DNS server used in order to resolve
geolite.maxmind.com can cause the script to download malicious code. And even
though the script does not execute the code, it does use wget to download it,
and pipes it through gunzip. If any unknown security vulnerabilities exist in
either wget/gunzip/libgeoip then it's possible to use this as an attack vector
- especially if the user puts this script in cron under the root user. (There
are probably many more ways to attack, but this is the most obvious way).
I hope this clarifies why I think we should find a better solution to this issue.
Regards,
Tom Feiner
Attachment:
signature.asc
Description: OpenPGP digital signature