On Fri, 2012-02-10 at 18:53 -0800, Russ Allbery wrote:
> Paul Wise <pabs@debian.org> writes:
> > On Fri, Feb 10, 2012 at 4:35 PM, Javier Fernandez-Sanguino wrote:
>
> >> If you (or the maintainer) review the code or analyse the program's
> >> behaviour and it is using *fixed* (i.e. not random) filenames for the
> >> temporary files or for the directories they are created in (/tmp or
> >> /var/tmp), you might want to suggest the maintainer to review if the
> >> code in charge of creating temporary files is doing this properly.
>
> > Should I find hard-coded uses of /tmp/, do you have any suggestions or
> > tips about how to assess the security impact of these issues. Up to now
> > I simply created symlinks as the nobody user from /tmp/foo to ~pabs/foo
> > and checked if ~pabs/foo was overwritten. I wonder if there are any
> > tools to automatically assess the impact of these issues by using
> > LD_PRELOAD and or fs/user namespaces, are you aware of any of these?
>
> You could probably use strace to find problems by looking for an
> open(O_CREAT) of a file in /tmp that doesn't look like it's
> mkstemp-created (ending in six random characters) and doesn't use O_EXCL.
[...]
The test should be for non-random names *or* missing O_EXCL. Use of an
entirely predictable name with O_EXCL allows a DoS and use of a
pseudo-random name without O_EXCL may still be exploitable for
overwriting other files if the attacker can try repeatedly.
(Note we may yet patch the kernel to stop most such attacks.)
Ben.
--
Ben Hutchings
The generation of random numbers is too important to be left to chance.
- Robert Coveyou
Attachment:
signature.asc
Description: This is a digitally signed message part