[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible mass bug filing: The possibility of attack with the help of symlinks in some Debian packages

Ivan Jager wrote:
qemu-make-debian-root will continue running even if mkdir failed.
Dmitry said the script has -e set - if so the script will not continue running if mkdir failed (unless it somehow overrides the -e check, e.g. mkdir /tmp/file || true).

Also, assuming qemu-make-debian-root is running with PID 1234, an attacker is free to change the /tmp/mount.1234 symlink during the execution of the script. If /tmp/mount.1234 is linked to /etc/, the script will mount the freshly created filesystem image on top of /etc, making a lot of programs very sad.

An attacker could then change the symlink such that debbootstrap will install anywhere he wants. (which may allow him to overwrite some files, but I haven't looked closely at debbootstrap.)
I don't think these attacks are possible if the script aborts when mkdir fails. mkdir won't succeed if there is a symlink.

In any case, doing something better would be good because it means an attacker can't run a denial-of-service type attack and prevent the script from running.

Brian May

Reply to: