[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages

On Wed, 13 Aug 2008, Brian May wrote:
Dmitry E. Oboukhov wrote:
qemu makes mount the directory /tmp/mount.$$. Attacker creates many
symlinks /tmp/dir.\d+ -> /etc and if qemu
(/usr/sbin/qemu-make-debian-root) starts then /etc goes
out from root directory tree. The result: system is unusable.

I might be dense, but I don't get this.

Attacker does:

root@andean:/tmp# ln -s /etc /tmp/mount-1234

Then the genuine user does:

root@andean:/tmp# mkdir /tmp/mount-1234
mkdir: cannot create directory `/tmp/mount-1234': File exists

strace shows:
mkdir("/tmp/pmount-1234", 0777)         = -1 EEXIST (File exists)

So, ok, this means the process can't continue any more (denial of service attack), and if the process does continue this is a problem, otherwise I can't see how this would bring the entire system down.

qemu-make-debian-root will continue running even if mkdir failed. Also, assuming qemu-make-debian-root is running with PID 1234, an attacker is free to change the /tmp/mount.1234 symlink during the execution of the script. If /tmp/mount.1234 is linked to /etc/, the script will mount the freshly created filesystem image on top of /etc, making a lot of programs very sad.

An attacker could then change the symlink such that debbootstrap will install anywhere he wants. (which may allow him to overwrite some files, but I haven't looked closely at debbootstrap.)

And then he could change the symlink again to overwrite and delete a few more files.

Of course some of these are timing attacks, so may work with varying reliability.


Reply to: