------------------------------------------------------------
Insecure temporary files in Tripwire
Jarno.Huuskonenat_private
$Date: 2001/07/09 05:02:02 $
------------------------------------------------------------
Author:
Jarno Huuskonen <Jarno.Huuskonenat_private>
Discovered:
Tue 16 Jan 2001
Vendor status:
Vendor contacted on Tue, 16 Jan 2001.
Fixed version available from: http://sourceforge.net/projects/tripwire/
Platforms:
Tripwire 2.2.1, tripwire 2.3.0 (and tripwire-ASR-1.3.1). I tested the
vulnerability only on Linux, so I can't confirm if other platforms or
versions are affected or not (but I believe that versions<2.4 are).
Severity:
Possible local file overwrite (symlink attack). (For more information
about race conditions see[1][2][3]).
Abstract:
Tripwire opens/creates temporary files insecurely. Insecure temporary
files are created at least when scanning the filesystem and updating
tripwire database.
Details:
Tripwire opens/creates temporary files in /tmp without O_EXCL flag.
These temporary filenames are created with mktemp systemcall. This
makes it possible for a local user to overwrite files with root (user
running tripwire) permissions.
I found out about the problem when I noticed a temporary file
/tmp/twtempa19212 left in /tmp. Out of curiosity I ran the tripwire
binary with strace and noticed that temporary files in /tmp are opened
without the O_EXCL flag.
After that I looked at the tripwire sources and confirmed the problem.
(See e.g. core/archive.cpp, core/unix/unixfsservices.cpp and
tw/textreportviewer.cpp).
Insecure files are created at least when running:
tripwire --check
tripwire --update -r reportdir/reportfile
tripwire --check --email-report
Tripwire-2.2.1 for Linux (the binary version available from
http://www.tripwire.com) seems to be the easiest to exploit because
it is statically linked with mktemp that uses the PID of tripwire for
creating the 'unique' filename. In all of my tests with this version
the temporary filename was /tmp/twtempaPID.
Solution:
Install fixed tripwire and use the new TEMPDIRECTORY configuration
option so tripwire can use only root writable temporary directory
(e.g. /root/tmp).
Note: tripwire-2.3.1-2 (from sourceforge) still has one unsafe
temporary file open (see tripwire-2.3.1-2/src/core/archive.cpp
cLockedTemporaryFileArchive::OpenReadWrite).
Possible workaround:
It appears possible to patch binary tripwire (2.2.1) to create
temporary files in a directory other than /tmp. To do this edit the
tripwire binaries: siggen, tripwire, twadmin and twprint, and replace
the twtempXXXXXX strings with e.g. tw/tmpXXXXXX. Now tripwire creates
temporary files in /tmp/tw directory (The /tmp/tw directory should be
owned by root and writable only by root). Note: If you're going to edit
the binaries do it at your own risk AND read the tripwire license
before doing so! (and only if you can't get an updated tripwire).
Credits:
I would like to thank Ron Forrester from Tripwire for handling my bug
report.
References:
1.
David A. Wheeler: Secure Programming for Linux and Unix HOWTO.
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html
2.
Kris Kennaway's post to Bugtraq about temporary files.
http://lwn.net/2000/1221/a/sec-tmp.php3
3.
Creating Secure Software:
http://www.eforceglobal.com/pdf/whitepapers/SecureSoftware-01-10-01-FINAL.pdf
--
Jarno Huuskonen <Jarno.Huuskonenat_private>
This archive was generated by hypermail 2b30 : Mon Jul 09 2001 - 08:27:20 PDT