Jarno Huuskonen wrote: > After that I looked at the tripwire sources and confirmed the problem. > (See e.g. core/archive.cpp, core/unix/unixfsservices.cpp and > tw/textreportviewer.cpp). If you noticed a few more lines down the file get's removed. -> TSTRING& cUnixFSServices::MakeTempFilename( TSTRING& strName ) const throw(eFSServices) -> { -> ... -> // create temp filename -> pchTempFileName = mktemp( szTemplate ); -> ... -> strName = pchTempFileName; -> ... -> -> // Linux creates the file!! Doh! -> // So I'll always attempt to delete it -bam -> FileDelete( strName ); -> -> return( strName ); -> } So it's going to be a really tight race since the file would have to be created just after FileDelete is called. -> void cLockedTemporaryFileArchive::OpenReadWrite( const TCHAR* filename, uint32 openFlags ) -> { -> ... -> // if filename is NULL, create a temp file for the caller -> if( filename == NULL ) -> { -> try -> { -> iFSServices::GetInstance()->GetTempDirName( strTempFile ); -> strTempFile += _T("twtempXXXXXX"); -> iFSServices::GetInstance()->MakeTempFilename( strTempFile ); -> ... -> // open file -> mCurrentFilename = filename ? filename : strTempFile.c_str(); -> mCurrentFile.Open( mCurrentFilename, flags ); -> ... -> } I've been trying to think of a way to exploit this. The only way I could foresee was if you could run an exploit as a cron timed with a tripwire cron run as root and the exploit would create a lot of symlinks right before tripwire runs which could allow creation of files as root but if the file get's removed then really what you'd need is a way to watch all the symlinks you've created and the instant one is removed create it again (run on sentence;). Any ideas? The patch should be to use mkstemp() if the OS is Linux. Best Regards, Charles Stevenson
This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 06:58:49 PDT