Getting tempfile/mktemp wrong

2014-01-22 / 2014-01-23
Credit: Helmut
Risk: Medium
Local: Yes
Remote: No
CWE: N/A

Hi, I (re?)discovered an entertaining way to introduce tmpfile vulnerabilities while using the right tools (tempfile/mktemp). The general pattern is: TEMPFILE=`tempfile`.suffix as opposed to TEMPFILE=`tempfile --suffix .suffix` An attacker can monitor /tmp using inotify, wait for the relevant file to be created and can the quickly create the corresponding tmpfile.suffix symbolic link to escalate privileges. This can be found in: 1) localepurge http://bugs.debian.org/736359 $ grep tempfile -r . ./debian/postrm: DEBREINSTALL="$(tempfile).$$" ./debian/localepurge.config:TEMPFILE=$(tempfile).$$ ./debian/localepurge.config:LOCALEGEN=$(tempfile).locale.gen $ The localepurge package is Debian-specific. The relevant runs at installation time as root. 2) syncevolution http://bugs.debian.org/736357 $ grep 'mktemp`\.' -r . ./src/syncevo/installcheck-local.sh:TMPFILE_CXX=`mktemp`.cxx ./src/syncevo/installcheck-local.sh:TMPFILE_O=`mktemp`.o $ The relevant code is part of the upstream package and is executed at build time. 3) axiom (packaging) http://bugs.debian.org/736358 $ grep 'tempfile).' -r . ./debian/axiom-test.sh:k=$(tempfile).input $ The relevant code is part of the Debian packaging (upstream axiom is not affected). It can be used on Debian systems to run the test suite when the relevant package is installed. The Debian bug reports are the initial public mentioning of these particular issues. Please assign CVE identifiers as needed.

References:

http://bugs.debian.org/736359


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top