Matlab /tmp usage

• Previous message: Martin Schulze: "[SECURITY] [DSA 215-1] New cyrus-imapd packages fix remote command execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

INTRODUCTION

MATLAB is "The Language of Technical Computing"
http://www.mathworks.com/


PROBLEM

As installed on UNIX machines, matlab uses shell scripts to launch; these
scripts use files in /tmp in an unsafe way.


DETAILS

The matlab script uses /tmp/$$a and may clobber it, allowing an attacker
to "wipe out" any file belonging to the matlab user. Suppose the attacker
guesses what PID will be used next and creates a symlink with

  ln -s ~victim/.profile /tmp/PIDa

then waits for the victim to run matlab: the victim's .profile gets
overwritten with garbage. (If root ever uses matlab then any file, e.g.
/etc/passwd, could similarly be trashed.)

It might be argued that it is hard to guess what PID will be used next.
It is easy enough to create a few thousand symlinks with likely PIDs; in
fact the attacker could create a symlink for every possible PID (as these
normally range from 0 to 32k or 64k).

The mex script may similarly clobber both /tmp/$$a and /tmp/$$b. Worse,
it sources (executes) any existing /tmp/$$a script, allowing an attacker
to execute any commands as the mex user. Proof-of-concept
(script-kiddie-safe) code:

  echo 'echo You lose: rm -rf $HOME >> $HOME/.profile' > /tmp/evil
  perl -e 'for (1..32000) { symlink "/tmp/$_a", "/tmp/evil" }'

then wait for any victim to use mex (if root ever uses mex then any
actions may be taken).


VENDOR COMMUNICATION

 5 Dec 2002  MathWorks notified
10 Dec 2002  case ID is: 1034529
16 Dec 2002  engineers [will] try to validate
18 Dec 2002  working on a solution for the next release of MATLAB R14
18 Dec 2002  if you have a WORKING fix ... [recommend] comp.soft-sys.matlab


WORKAROUND/PATCH

I suggest you use something similar to the following patches. (Standard
textbook techniques: use a safe directory, and do not use files at all.)

*** matlab/6.5/bin/matlab.old	Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/matlab	Thu Dec 19 08:36:04 2002
***************
*** 137,145 ****
  #
  # Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
  #
!     temp_file=/tmp/$$a
  #
!     trap "rm -f $temp_file; exit 1" 1 2 3 15
  #
  #========================= archlist.sh (start) ============================
  #
--- 137,147 ----
  #
  # Temporary file that hold MATLABPATH code from .matlab6rc.sh file.
  #
!     temp_dir=/tmp/$$a
!     temp_file=$temp_dir/a
!     mkdir -m 700 $temp_dir || exit 1
  #
!     trap "rm -rf $temp_dir; exit 1" 1 2 3 15
  #
  #========================= archlist.sh (start) ============================
  #
***************
*** 1790,1798 ****
      echo '------------------------------------------------------------------------') >> $temp_file
  #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  	more $temp_file
!         rm -f $temp_file
  	exit 0
      fi
  #
  # Export the variables
  #
--- 1792,1801 ----
      echo '------------------------------------------------------------------------') >> $temp_file
  #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  	more $temp_file
! 	rm -rf $temp_dir
  	exit 0
      fi
+     rm -rf $temp_dir
  #
  # Export the variables
  #

*** matlab/6.5/bin/mex.old	Tue Sep 24 10:52:30 2002
--- matlab/6.5/bin/mex	Thu Dec 19 11:07:34 2002
***************
*** 1014,1021 ****
          exit 1
      fi
      if [ "$verbose" = "1" ]; then
!         temp_file=/tmp/$$b
!         files_to_remove="$files_to_remove $temp_file"
          . $MATLAB/bin/util/oscheck.sh
          if [ "$oscheck_status" = "1" ]; then
              cleanup
--- 1014,1023 ----
          exit 1
      fi
      if [ "$verbose" = "1" ]; then
!         temp_dir=/tmp/$$b
!         temp_file=$temp_dir/b
!         files_to_remove="$files_to_remove $temp_dir"
!         mkdir -m 700 $temp_dir || exit 1
          . $MATLAB/bin/util/oscheck.sh
          if [ "$oscheck_status" = "1" ]; then
              cleanup
***************
*** 1031,1038 ****
  #
  # Source the file of argument variables, name=[def]
  #
!     if [ -f /tmp/$$a ]; then
!         . /tmp/$$a
      fi
  
  #
--- 1033,1043 ----
  #
  # Source the file of argument variables, name=[def]
  #
!     #if [ -f /tmp/$$a ]; then
!     #    . /tmp/$$a
!     #fi
!     if [ -n "$EVAL_ASSIGNS" ]; then
!       eval "$EVAL_ASSIGNS"
      fi
  
  #
***************
*** 1505,1510 ****
--- 1510,1516 ----
     ARCH=
      Arch='Undetermined'
      verbose=0
+     EVAL_ASSIGNS=
  #
  #  Use a C entry point by default
  #
***************
*** 1698,1705 ****
              *[=\#]*)
                  lhs=`expr "$1" : '\([a-zA-Z0-9_]*\)[=\#].*'`
                  rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]\(.*\)$'`
!                 echo $lhs='"'$rhs'"' >> /tmp/$$a
!                 files_to_remove="$files_to_remove /tmp/$$a"
                  ;;
              *.c) # c source file.
                  cfiles='1'
--- 1704,1712 ----
              *[=\#]*)
                  lhs=`expr "$1" : '\([a-zA-Z0-9_]*\)[=\#].*'`
                  rhs=`expr "$1" : '[a-zA-Z0-9_]*[=\#]\(.*\)$'`
!                 #echo $lhs='"'$rhs'"' >> /tmp/$$a
!                 #files_to_remove="$files_to_remove /tmp/$$a"
!                 EVAL_ASSIGNS="$EVAL_ASSIGNS$lhs="'"'"$rhs"'";'
                  ;;
              *.c) # c source file.
                  cfiles='1'


SIGNATURE

Paul Szabo - pszat_private  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia

• Next message: snsadvat_private: "[SNS Advisory No.60 rev.2] Windows XP Disclosure of Registered AP Information"
• Previous message: Martin Schulze: "[SECURITY] [DSA 215-1] New cyrus-imapd packages fix remote command execution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 01:28:45 PST