Re: Tripwire temporary files

• Previous message: Charles Stevenson: "Re: Tripwire temporary files"
• In reply to: Charles Stevenson: "Re: Tripwire temporary files"
• Next in thread: Ron DuFresne: "Re: Tripwire temporary files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On the older versions of tripwire, and likely before this patch, the
easiest exploit was to symlink the temporary tripwire database back to the
original tripwire database it was using to test against.

If you raced it properly, it would cause tripwire not to see any changes
at all.

I was able to do this in a shell script for older releases -- but i didnt
test against this most recent version.




On Mon, 9 Jul 2001, Charles Stevenson wrote:

> Jarno Huuskonen wrote:
>
> >  After that I looked at the tripwire sources and confirmed the problem.
> >  (See e.g. core/archive.cpp, core/unix/unixfsservices.cpp and
> >  tw/textreportviewer.cpp).
>
> If you noticed a few more lines down the file get's removed.
>
> -> TSTRING& cUnixFSServices::MakeTempFilename( TSTRING& strName ) const
> throw(eFSServices)
> -> {
> -> ...
> ->     // create temp filename
> ->     pchTempFileName = mktemp( szTemplate );
> -> ...
> ->     strName = pchTempFileName;
> -> ...
> ->
> ->     // Linux creates the file!!  Doh!
> ->     // So I'll always attempt to delete it -bam
> ->     FileDelete( strName );
> ->
> -> 	return( strName );
> -> }
>
> So it's going to be a really tight race since the file would have to be
> created just after FileDelete is called.
>
> -> void cLockedTemporaryFileArchive::OpenReadWrite( const TCHAR*
> filename, uint32 openFlags )
> -> {
> -> ...
> ->     // if filename is NULL, create a temp file for the caller
> ->     if( filename == NULL )
> ->       {
> ->         try
> ->           {
> ->             iFSServices::GetInstance()->GetTempDirName( strTempFile
> );
> ->             strTempFile += _T("twtempXXXXXX");
> ->             iFSServices::GetInstance()->MakeTempFilename( strTempFile
> );
> -> ...
> ->     // open file
> ->     mCurrentFilename = filename ? filename : strTempFile.c_str();
> ->     mCurrentFile.Open( mCurrentFilename, flags );
> -> ...
> -> }
>
> I've been trying to think of a way to exploit this. The only way I could
> foresee was if you could run an exploit as a cron timed with a tripwire
> cron run as root and the exploit would create a lot of symlinks right
> before tripwire runs which could allow creation of files as root but if
> the file get's removed then really what you'd need is a way to watch all
> the symlinks you've created and the instant one is removed create it
> again (run on sentence;).  Any ideas?
>
> The patch should be to use mkstemp() if the OS is Linux.
>
> Best Regards,
> Charles Stevenson
>

• Next message: KF: "ml85p - driver for Samsung ML-85G and /tmp"
• Previous message: Charles Stevenson: "Re: Tripwire temporary files"
• In reply to: Charles Stevenson: "Re: Tripwire temporary files"
• Next in thread: Ron DuFresne: "Re: Tripwire temporary files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 08:28:34 PDT