[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFH: Insecure directory creation?

On Fri, Dec 22, 2006 at 01:51:20PM +0100, Loïc Minier wrote:
>  Would someone be so kind to either correct me or to help me word why
>  this is a bad idea?

This is a bad idea because, if mach creates (on installation) /var/tmp/mach/something, and a
rogue user creates (before installation) /var/tmp/mach/ and makes a symlink
from 'something' to /etc/passwd the whole system will be hosed when the
package is installed. How can you do privilege escalation? Easy, just have
'something' point to /etc/cron.daily/ and try to get mach to write something
*you* would like to get executed by cron.

So, the comment (in the SF thread):

>For example, making the symlink pointing to somewhere else still doesn't
>allow that user to do anything even if mach would install stuff there.

really depends in *what* gets installed. If mach is running as root and
installs something (user-controlled?) in a place that *other programs* will
read and execute  (think scripts /etc/rc.d/ or /etc/cron.d/ or
/etc/network/ifupdown.d/) then it can be used as a privilege elevation

If the contents created below /var/tmp/mach are predictable (in their
location or name) it can be exploited to do all kind of tricks. 

I don't know how mach operates precisely, would you care to elaborate how and
when does it use /var/tmp/mach/? What files are created there? What control
does the user have on the content or naming of those files?



Attachment: signature.asc
Description: Digital signature

Reply to: