[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: writing files securely

Previously Josip Rodin wrote:
> I'm currently reviewing a new version of joe that uses patches from other
> sources, and this is the chunk of code they used to fix this issue:

Lets see what they did :)

> 		  /*
> 		     A race condition still exists between the lstat() and the open()
> 		     systemcall, which leads to a possible denial-of-service attack
> 		     by setting the file access mode to 600 for every file the
> 		     user executing joe has permissions to.
> 		     This can't be fixed w/o breacking the behavior of the orig. joe!
> 		   */

Not very reassuring comment there..

Ok, it seems they did not fix anything at all here and joe can still be
just as easily tricked into overwriting files. What can happen is this:

1. Suppose we are in a world writeable non-sticky directory
2. attacker creates a hardlink to any file from the user to DEADJOE
2. joe tries to create DEADJOE securely (O_EXCL|O_CREAT)
3. this failes since the file already exists (the hardlink made in step 1)
4. joe lstats the file and discovers it is a normal file owned its user
5. attacker removes the hardlink and replaces it with a symlink to another
6. joe happily opens the symlinked file and appends data to it

So the attacker just tricked joe into appending data to a random file
possibly corrupting it.


 / Generally uninteresting signature - ignore at your convenience  \
| wichert@cistron.nl                  http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

Reply to: