Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: imp5~1.htm

Imp-2.2.4 symlink attack



Vulnerability

    IMP

Affected

    Imp-2.2.4

Description

    Jarno Huuskonen found following.   Only tested imp-2.2.4 on  Linux
    and AIX  (with php-4.0.5/php-3.0.18)  but AFAIK  all platforms are
    affected.   There  is  a  possible  local  file overwrite (symlink
    attack).

    Imp-webmail  uses  predictable  temporary  filenames when handling
    uploaded attachments or when 'viewing' attachments.

    Uploaded attachments:
    =====================
    When a user composes a new email all the attachments are  uploaded
    to the  webmail server.   First PHP  handles the  file upload  and
    creates  a  temporary  file  (the  file  is  created  in   php.ini
    'upload_tmp_dir' or  /tmp).   The temporary  filename is something
    like /tmp/phpXXXXXX (where  X's are 'random').   After this  imp's
    compose.php3  copies  this  temporary  file  for safekeeping.  The
    destination filename imp uses is /tmp/phpXXXXXX.att, but imp fails
    to check if  the destination exists  (and the destination  file is
    opened without the  O_EXCL flag). So  the attacker can  watch /tmp
    (or upload_tmp_dir) for phpXXXXXX files and then quickly create  a
    symlink:

        ln -s /tmp/phpXXXXXX.att /to/webserver_writable_file

    Attachment viewers:
    ===================
    Imp can use  external viewers for  viewing email attachments  like
    zip-files.        Before     calling     these     viewers     imp
    (imp/lib/mimetypes.lib)  saves  the  attachment  into  a temporary
    file.  These filenames are something like:

        /tmp/imp.'.date('Y-M-D_H:i:s').'__'.md5($contents)

    So the  filename is  quite easy  to guess  and the  file is opened
    without O_EXCL (so  creating a bunch  of /tmp/imp.... symlinks  is
    also possible) (Note: John Paris has discovered this earlier).

Solution

    Upgrade  to  imp-2.2.5  and  use  the  'upload_tmp_dir'  directive
    (php.ini) to  define a  directory where  uploaded files  should go
    (see imp/docs/SECURITY for more information).

    Note:  Imp-2.2.5  uses  the  PHP  tempnam  function  for  creating
    temporary  files.   With  PHP  versions  earlier  than  4.0.3? the
    tempnam function doesn't use mkstemp (so it has a race  condition)
    so upgrading to  PHP-4.0.5 or patching  PHP-3.0.18 to use  mkstemp
    is advisable.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH