[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: severity for bugs in ignoring TMP/TMPDIR?

On Fri, 2012-02-10 at 18:53 -0800, Russ Allbery wrote:
> Paul Wise <pabs@debian.org> writes:
> > On Fri, Feb 10, 2012 at 4:35 PM, Javier Fernandez-Sanguino wrote:
> >> If you (or the maintainer) review the code or analyse the program's
> >> behaviour and it is using *fixed* (i.e. not random) filenames for the
> >> temporary files or for the directories they are created in (/tmp or
> >> /var/tmp), you might want to suggest the maintainer to review if the
> >> code in charge of creating temporary files is doing this properly.
> > Should I find hard-coded uses of /tmp/, do you have any suggestions or
> > tips about how to assess the security impact of these issues. Up to now
> > I simply created symlinks as the nobody user from /tmp/foo to ~pabs/foo
> > and checked if ~pabs/foo was overwritten. I wonder if there are any
> > tools to automatically assess the impact of these issues by using
> > LD_PRELOAD and or fs/user namespaces, are you aware of any of these?
> You could probably use strace to find problems by looking for an
> open(O_CREAT) of a file in /tmp that doesn't look like it's
> mkstemp-created (ending in six random characters) and doesn't use O_EXCL.

The test should be for non-random names *or* missing O_EXCL.  Use of an
entirely predictable name with O_EXCL allows a DoS and use of a
pseudo-random name without O_EXCL may still be exploitable for
overwriting other files if the attacker can try repeatedly.

(Note we may yet patch the kernel to stop most such attacks.)


Ben Hutchings
The generation of random numbers is too important to be left to chance.
                                                            - Robert Coveyou

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: