Hi, This weekend I decided to play around with a couple of network management tools on securityfocus.com; Angel (http://www.paganini.net/angel/, and Autobuse (http://www.picante.com/~gtaylor/download/. Unfortunately, upon review of the source, I noticed a bad trend. Both tools handle temporary files insecurely. For example: In Autobuse's main perl script, line 96: if(!$test_run) { open OUT, ">/tmp/autobuse_report.$$" or die "can't open /tmp/autobuse_report.$$"; select OUT; } Simple symlink attack: make a link from a file that is writable to the user running the script to /tmp/autobuse_report.$$ (just brute force the .$$ part) to overwrite the linked file. Since a lot of users will be putting network managements scripts in root's crontab, this poses a significant risk to security. Variation of the same story in Angel.pl, line 504: sub timeexec { ... my($tempfile) = "/tmp/timeexec.$$"; $myproc = Proc::Simple->new(); $myproc->start("$cmd >$tempfile 2>&1"); ... open (CDTEMP, "$tempfile") || return (-1, ()); ... The subroutine timeexec() is called by Angel's Check_ping.pl, Check_load.pl and Check_disk.pl plugin scripts like this: ($ret, @output) = timeexec($Default_tries, $Default_timeout, $rcmdline); I looked around for some more perl/shell scripts on securityfocus that exhibited the same problem and found confcollect: #!/bin/sh VERSION=0.1d COPYRIGHT='1999 Eddie Olsson <ewtat_private>' PATH=$PATH:/sbin # Ls instllningar i filen /etc/confcollect.conf [ -f /etc/confcollect.conf ] || exit 1 . /etc/confcollect.conf CFILENAME=`hostname`.`date +"%Y%m%d"`.confcollect.tar.gz ... tar zcf /tmp/$CFILENAME /etc 2>/dev/null Oh, I also noticed a vulnerable example script on my slack 7 box at /usr/lib/m4-examples/stackovf.sh: (yeah, yeah, I know, who is silly enough to run this stuff as r00t? :P ) #!/bin/sh ... tmpfile=/tmp/t.$$ trap `rm -f $tmpfile; exit 1' 1 2 3 15 ... $M4 -L999999999 > $tmpfile 2>&1 OH! OH! and a really cool program that a number of ppl I know run called root-portal (http://driftwood.draconic.com/root-portal) contains a number of scripts afflicted by the same bug!: #!/bin/sh cd /tmp ... if test "${more_recent}" = "${half_hour_ago}" then mv -f recentnews.txt recentnews.txt.old > /dev/null wget -q http://freshmeat.net/backend/recentnews.txt if test ! -f /tmp/recentnews.txt then mv -f recentnews.txt.old recentnews.txt > /dev/null fi chmod a+rw recentnews.txt date '+%Y%j%H%M' > /tmp/freshmeat_read.timestamp chmod a+rw freshmeat_read.timestamp fi heh, forgot to mv freshmeat_read.timestamp too eh? Nice way to make certain files world writable! Lets all be a bit more careful next time shall we? Rule of thumb: - Create a more secure storage directory for your temporary files. mkdir /home/blah; chmod 600 /home/blah - Allow the user to easily customize this directory: $SECUREDIR = /home/blah - Check for the existence of your temporary file before you do anything with it: $SECUREDIR=/home/blah $tmpfile=$SECUREDIR/t.$$ if [ -e $tmpfile ]; then echo -e "ERROR! : temporary file exists, erasing!\r\n"; rm -rf $tmpfile fi - If necessary, ensure that the file is not a symlink: if( -l $tmpfile ); then ... - John Daniele
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:23 PDT