Imp-2.2.4 temporary files

From: Jarno Huuskonen (Jarno.Huuskonenat_private)
Date: Thu May 31 2001 - 03:15:26 PDT

  • Next message: Jonas Eriksson: "Apache Software Foundation Server compromised, resecured. (fwd)" 

         ------------------------------------------------------------
             Imp-2.2.4 creates insecure temporary files.
                        Jarno.Huuskonenat_private
                            Thu May 31 2001
     ------------------------------------------------------------

Author:
 Jarno Huuskonen <Jarno.Huuskonenat_private>

Discovered:
 Wed 16 May 2001

 Horde project 'dev' mailing list contacted on Fri 18 May 2001[1].
 Imp-2.2.5 is available from http://www.horde.org/imp/

Platforms:
 Only tested imp-2.2.4 on Linux and AIX (with php-4.0.5/php-3.0.18)
 but AFAIK all platforms are affected.

Severity:
 Possible local file overwrite (symlink attack). (For more information
 about race conditions see[2]).

Abstract:
 Imp-webmail uses predictable temporary filenames when handling
 uploaded attachments or when 'viewing' attachments.

Details:
 Uploaded attachments:
 When a user composes a new email all the attachments are uploaded to
 the webmail server. First PHP handles the file upload and creates a
 temporary file (the file is created in php.ini 'upload_tmp_dir' or
 /tmp).  The temporary filename is something like /tmp/phpXXXXXX
 (where X's are 'random'). After this imp's compose.php3 copies this
 temporary file for safekeeping.
 The destination filename imp uses is /tmp/phpXXXXXX.att, but imp fails
 to check if the destination exists (and the destination file is opened
 without the O_EXCL flag). So the attacker can watch /tmp (or 
 upload_tmp_dir) for phpXXXXXX files and then quickly create a symlink:
 'ln -s /tmp/phpXXXXXX.att /to/webserver_writable_file'
 
Attachment viewers:
 Imp can use external viewers for viewing email attachments like
 zip-files. Before calling these viewers imp (imp/lib/mimetypes.lib)
 saves the attachment into a temporary file. These filenames are
 something like: /tmp/imp.'.date('Y-M-D_H:i:s').'__'.md5($contents).
 So the filename is quite easy to guess and the file is opened 
 without O_EXCL (so creating a bunch of /tmp/imp.... symlinks is also
 possible) (Note: Jon Parise has discovered this earlier[3]).

Solution:
 Upgrade to imp-2.2.5 and use the 'upload_tmp_dir' directive (php.ini)
 to define a directory where uploaded files should go (see
 imp/docs/SECURITY for more information).

 Note: Imp-2.2.5 uses the PHP tempnam function for creating temporary
 files. With PHP versions earlier than 4.0.3? the tempnam function
 doesn't use mkstemp (so it has a race condition) so upgrading to
 PHP-4.0.5 or patching PHP-3.0.18 to use mkstemp is advisable[4].

Credits:
 I would like to thank the horde team for creating a great webmail
 interface.

References:
1.
 devat_private discussion about imp tempfile problems.
 http://marc.theaimsgroup.com/?t=99018545400001&w=2&r=1

2.
 David A. Wheeler: Secure Programming for Linux and Unix HOWTO.
 http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html

3.
 Patch for the imp/lib/mimetypes.lib temp file problem.
 http://marc.theaimsgroup.com/?l=horde-dev&m=97528008715710&w=2

4.
 PHP tempnam function.
 http://marc.theaimsgroup.com/?l=php-dev&m=97972576709196&w=2
 http://marc.theaimsgroup.com/?t=94184107200002&w=2&r=1
 http://marc.theaimsgroup.com/?t=96811361900003&w=2&r=1
 http://marc.theaimsgroup.com/?t=96683455000001&w=2&r=1

-Jarno

-- 
Jarno Huuskonen <Jarno.Huuskonenat_private>

    This archive was generated by hypermail 2b30 : Thu May 31 2001 - 07:57:06 PDT