Re: Tripwire temporary files

From: Ron DuFresne (dufresneat_private)
Date: Tue Jul 10 2001 - 14:36:09 PDT

Next message: Charles Stevenson: "Pine"

Previous message: emerson.c.tanat_private: "Re: Messenger/Hotmail passwords at risk <thread summary and comments>"
In reply to: Charles Stevenson: "Re: Tripwire temporary files"
Next in thread: Cy Schubert - ITSD Open Systems Group: "Re: Tripwire temporary files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 9 Jul 2001, Charles Stevenson wrote:

> Jarno Huuskonen wrote:
> 
> >  After that I looked at the tripwire sources and confirmed the problem.
> >  (See e.g. core/archive.cpp, core/unix/unixfsservices.cpp and
> >  tw/textreportviewer.cpp).
> 
> If you noticed a few more lines down the file get's removed.



Unless the tripwire process is halted for some reason, like a system
crash, or reboot during the run, etc.  In those cases the temp file<s> are
left untouched.

Thanks,

Ron DuFresne






> 
> -> TSTRING& cUnixFSServices::MakeTempFilename( TSTRING& strName ) const
> throw(eFSServices)
> -> {
> -> ...
> ->     // create temp filename
> ->     pchTempFileName = mktemp( szTemplate );
> -> ...
> ->     strName = pchTempFileName;
> -> ...
> -> 
> ->     // Linux creates the file!!  Doh!
> ->     // So I'll always attempt to delete it -bam
> ->     FileDelete( strName );
> -> 
> -> 	return( strName );
> -> }
> 
> So it's going to be a really tight race since the file would have to be
> created just after FileDelete is called.
> 
> -> void cLockedTemporaryFileArchive::OpenReadWrite( const TCHAR*
> filename, uint32 openFlags )
> -> {
> -> ...
> ->     // if filename is NULL, create a temp file for the caller
> ->     if( filename == NULL )
> ->       {
> ->         try
> ->           {
> ->             iFSServices::GetInstance()->GetTempDirName( strTempFile
> );
> ->             strTempFile += _T("twtempXXXXXX");  
> ->             iFSServices::GetInstance()->MakeTempFilename( strTempFile
> );
> -> ...
> ->     // open file
> ->     mCurrentFilename = filename ? filename : strTempFile.c_str();
> ->     mCurrentFile.Open( mCurrentFilename, flags );
> -> ...
> -> }
> 
> I've been trying to think of a way to exploit this. The only way I could
> foresee was if you could run an exploit as a cron timed with a tripwire
> cron run as root and the exploit would create a lot of symlinks right
> before tripwire runs which could allow creation of files as root but if
> the file get's removed then really what you'd need is a way to watch all
> the symlinks you've created and the instant one is removed create it
> again (run on sentence;).  Any ideas?
> 
> The patch should be to use mkstemp() if the OS is Linux.
> 
> Best Regards,
> Charles Stevenson
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Next message: Charles Stevenson: "Pine"
Previous message: emerson.c.tanat_private: "Re: Messenger/Hotmail passwords at risk <thread summary and comments>"
In reply to: Charles Stevenson: "Re: Tripwire temporary files"
Next in thread: Cy Schubert - ITSD Open Systems Group: "Re: Tripwire temporary files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 21:45:02 PDT