Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: sb5917.htm

S-plus /tmp race condition
7th Jan 2003 [SBWID-5917]

	S-plus /tmp race condition


	splus 6.0


	Paul                    Szabo                    []
	[] says :
	The main Sqpe binary, and various shell script  modules,  use  files  in
		Clobbers /tmp/__F$$:
		open("/tmp/__F8499", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
		Clobbers /tmp/PRINT.$$.out
		Clobbers /tmp/SUBST$PID.TXT /tmp/ed.cmds$PID
		May clobber and use /tmp/file.1 /tmp/file.2
		May clobber and use /tmp/file.1
		Clobbers /tmp/sgml2html$$tmp /tmp/sgml2html$$tmp1 /tmp/sgml2html$$tmp2
	Suppose an attacker creates a symlink from any of the "clobbered"  files
	to one owned by the victim: guesses the PID that will be used, does
	  ln -s ~victim/.profile /tmp/__F123
	and waits for the victim to use Splus, then the victim's  .profile  will
	be trashed. Some or all of  these  attacks  may  then  be  escalated  to
	arbitrary command execution; if root ever uses Splus then the damage  is
	much greater.
	It might be argued that it is hard to guess what PID will be used  next.
	It is easy enough to create a few thousand symlinks  with  likely  PIDs;
	in fact the attacker could create a symlink for every possible  PID  (as
	these normally range from 0 to 32k or 64k).


	The scripts could  be  patched  trivially  using  one  of  the  textbook
	methods, e.g. using a safe directory:
	  mkdir -m 700 /tmp/mydir$$ || exit 1
	  ... do things to /tmp/mydir$$/myfile ...
	  rm -rf /tmp/mydir$$
	Fixing Sqpe is harder. Could (safely) pre-create /tmp/__F$$ e.g.:
	*** splus/6.0/cmd/NEW.old	Tue Oct 10 16:06:37 2000
	--- splus/6.0/cmd/NEW	Tue Dec 24 09:15:59 2002
	*** 9,13 ****
	--- 9,19 ----
	  	echo $target not found; exit 1
	+ set -e
	+ umask 077
	+ mkdir /tmp/F$$
	+ touch /tmp/F$$/__F$$
	+ mv -i /tmp/F$$/__F$$ /tmp </dev/null
	+ rmdir /tmp/F$$
	  exec $target
	but Sqpe would still be open to  races  as  it  repeatedly  open()s  and
	unlink()s that file. A proper fix will have to come from the vendor.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH