Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: angel-1.htm

Angel and Autobuse insecure tempfile handling

    Angel and Autobuse


    Those using vulnerable versions


    John  Daniele  decided  to  play  around  with a couple of network
    management  tools  on;  Angel  and   Autobuse.
    Unfortunately, upon review of the source, he noticed a bad  trend.
    Both  tools   handle  temporary   files  insecurely.   The l0pht's
    tempwatch tool is useful in rooting out such problems:

    (or /usr/ports/security/tempwatch on OpenBSD)...

    For example, in Autobuse's main perl script, line 96:

        if(!$test_run) {
                open OUT, ">/tmp/autobuse_report.$$"
                        or die "can't open /tmp/autobuse_report.$$";
                select OUT;

    Simple symlink attack: make a link from a file that is writable to
    the user running the script to /tmp/autobuse_report.$$ (just brute
    force the .$$ part) to overwrite the linked file.  Since a lot  of
    users  will  be  putting  network  managements  scripts  in root's
    crontab, this poses a significant risk to security.

    Variation of the same story in, line 504:

	 sub timeexec
                my($tempfile) = "/tmp/timeexec.$$";
                $myproc = Proc::Simple->new();
                $myproc->start("$cmd >$tempfile 2>&1");
                open (CDTEMP, "$tempfile") || return (-1, ());

    The  subroutine  timeexec()  is  called  by Angel's, and plugin scripts like this:

        ($ret, @output) = timeexec($Default_tries, $Default_timeout, $rcmdline);

    John  looked   around  for   some  more   perl/shell  scripts   on
    securityfocus  that   exhibited  the   same  problem   and   found

        COPYRIGHT='1999 Eddie Olsson <>'
        # Ls instllningar i filen /etc/confcollect.conf
        [ -f /etc/confcollect.conf ] || exit 1
        . /etc/confcollect.conf
        CFILENAME=`hostname`.`date +"%Y%m%d"`.confcollect.tar.gz
        tar zcf /tmp/$CFILENAME /etc 2>/dev/null

    John also noticed  a vulnerable example  script on my  slack 7 box
    at  /usr/lib/m4-examples/  (yeah,  yeah,  who  is silly
    enough to run this stuff as r00t?)

        trap `rm -f $tmpfile; exit 1' 1 2 3 15
        $M4 -L999999999 > $tmpfile 2>&1

    OH! OH! and a really cool program that a number of ppl run  called
    root-portal contains  a number  of scripts  afflicted by  the same

        cd /tmp
        if test "${more_recent}" = "${half_hour_ago}"
                mv -f recentnews.txt recentnews.txt.old > /dev/null
                wget -q
                if test ! -f /tmp/recentnews.txt
                        mv -f recentnews.txt.old recentnews.txt > /dev/null
                chmod a+rw recentnews.txt
                date '+%Y%j%H%M' > /tmp/freshmeat_read.timestamp
                chmod a+rw freshmeat_read.timestamp

    Heh, forgot to  mv freshmeat_read.timestamp too  eh?  Nice  way to
    make certain files world writable!


    Rule of thumb:

    - Create a more secure storage directory for your temporary files.
      mkdir /home/blah; chmod 600 /home/blah
    - Allow the user to easily customize this directory:

        $SECUREDIR = /home/blah

    - Check  for the  existence of  your temporary  file before you do
      anything with it:

        if [ -e $tmpfile ]; then
                echo -e "ERROR! : temporary file exists, erasing!\r\n"; rm -rf

    -  you still have an  exploitable race here.  A better  way around
       this  (esp.  for  program  with  many  tmp  files)  is to use a
       temporary  directory  instead,  as  in  OpenBSD's /etc/security

        umask 077

        if ! mkdir $DIR ; then
                printf "tmp directory %s already exists, looks like:\n" $DIR
                ls -alF $DIR
                exit 1

        trap 'rm -rf $DIR; exit 1' 0 1 2 3 13 15

    or if  you're using  OpenBSD, use  the mktemp(1)  program in  your

    - If necessary, ensure that the file is not a symlink:

        if( -l $tmpfile ); then ...

    Autobuse is fixed, partly, in autobuse version snap949125599,  and
    more so in today's snap949380617, which uses this mktemp function:

        sub get_tmpfile {
            my $file;
            do {
            open RAN, "/dev/random" || die;
            close RAN;
            $file = '/tmp/autobuse' . unpack('H16',$foo);
            } while (-e $file || -l $file);
            return $file;

    This method  is Linux-specific,  but that's  all ppl  need mostly.
    The fixed autobuse is available at

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH