Hello.

OpenSLP is an implementation of the "Service Location Protocol V2", an
IETF standards track protocol that provides a framework to allow
networking applications to discover the existence, location, and
configuration of networked services in enterprise networks.
(http://www.openslp.org)

There's a symbolic link vulnerability in one of the initscripts
provided with openslp. The slpd.all_init file uses '/tmp/route.check'
as a temporarily file in an unsafe manner.

Since this script is usually called bye the root user (to start the
service), an attacker could exploit this vuln to at least "reset"
the content of any file in the system as soon as the "start"
action is called. As a standard symlink vulnerabilty, all the attacker
needs is to create a /tmp/route.check symlink pointing to a system file.

Fortunatelly, the aforementioned initscript is not used by many
vendors (only Conectiva, accordingly to a vendor-sec
discussion). Debian distributes openslp but uses another script.

The problem affects OpenSLP 1.0.11 (and probably older versions)
and is fixed in the CVS of the project.

>From the slpd.all_init file:

"""
    ...
	TMP_FILE=/tmp/route.check
	...
	ping ... > $TMP_FILE
	...
	rm -f $TMP_FILE
	...
"""

The openslp maintainers and the guys from vendor-sec were
contacted on 2003-Aug-07 and agreed on this disclosure date.

-- 
Ademar de Souza Reis Jr. <ademar@conectiva.com.br>

^[:wq!