linux, säkerhet

6729559 2001-07-09 23:32 -0600  /69 rader/ Charles Stevenson <core@ezlink.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-10  16:49  av Brevbäraren
Extern mottagare: Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
Extern kopiemottagare: Bugtraq <bugtraq@securityfocus.com>
Extern kopiemottagare: Vuln-dev <vuln-dev@securityfocus.com>
Mottagare: Bugtraq (import) <17887>
Kommentar till text 6725236 av Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
Ärende: Re: Tripwire temporary files
------------------------------------------------------------
From: Charles Stevenson <core@ezlink.com>
To: Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
Cc: Bugtraq <bugtraq@securityfocus.com>,
 Vuln-dev <vuln-dev@securityfocus.com>
Message-ID: <3B4A936D.FF2DA075@ezlink.com>

Jarno Huuskonen wrote:

>  After that I looked at the tripwire sources and confirmed the problem.
>  (See e.g. core/archive.cpp, core/unix/unixfsservices.cpp and
>  tw/textreportviewer.cpp).

If you noticed a few more lines down the file get's removed.

-> TSTRING& cUnixFSServices::MakeTempFilename( TSTRING& strName )
const throw(eFSServices)
-> {
-> ...
->     // create temp filename
->     pchTempFileName = mktemp( szTemplate );
-> ...
->     strName = pchTempFileName;
-> ...
-> 
->     // Linux creates the file!!  Doh!
->     // So I'll always attempt to delete it -bam
->     FileDelete( strName );
-> 
-> 	return( strName );
-> }

So it's going to be a really tight race since the file would have to
be created just after FileDelete is called.

-> void cLockedTemporaryFileArchive::OpenReadWrite( const TCHAR*
filename, uint32 openFlags )
-> {
-> ...
->     // if filename is NULL, create a temp file for the caller
->     if( filename == NULL )
->       {
->         try
->           {
->             iFSServices::GetInstance()->GetTempDirName( strTempFile
);
->             strTempFile += _T("twtempXXXXXX");  
->             iFSServices::GetInstance()->MakeTempFilename( strTempFile
);
-> ...
->     // open file
->     mCurrentFilename = filename ? filename : strTempFile.c_str();
->     mCurrentFile.Open( mCurrentFilename, flags );
-> ...
-> }

I've been trying to think of a way to exploit this. The only way I
could foresee was if you could run an exploit as a cron timed with a
tripwire cron run as root and the exploit would create a lot of
symlinks right before tripwire runs which could allow creation of
files as root but if the file get's removed then really what you'd
need is a way to watch all the symlinks you've created and the
instant one is removed create it again (run on sentence;).  Any ideas?

The patch should be to use mkstemp() if the OS is Linux.

Best Regards,
Charles Stevenson
(6729559) /Charles Stevenson <core@ezlink.com>/(Ombruten)
6729572 2001-07-10 11:13 +0200  /24 rader/ Paul Starzetz <paul@starzetz.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-10  16:53  av Brevbäraren
Extern mottagare: Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
Extern mottagare: bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <17889>
Kommentar till text 6725236 av Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
Ärende: Re: Tripwire temporary files
------------------------------------------------------------
From: Paul Starzetz <paul@starzetz.de>
To: Jarno Huuskonen <Jarno.Huuskonen@uku.fi>,
 "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Message-ID: <3B4AC732.1EE59E6E@starzetz.de>

Jarno Huuskonen wrote:

>  I found out about the problem when I noticed a temporary file
>  /tmp/twtempa19212 left in /tmp. Out of curiosity I ran the tripwire
>  binary with strace and noticed that temporary files in /tmp are opened
>  without the O_EXCL flag.

Here a strace from tripwire 1.2 (Source RPM:
tripwire-1.2-223.src.rpm):

open("/tmp/twznG1Eud", O_RDWR|O_CREAT|O_TRUNC, 0666) = 4
open("/tmp/twzd9tWqg", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
open("/tmp/twzzykpkj", O_RDWR|O_CREAT, 0600) = 4

nowhere the current pid is used - instead a 6 byte template appears,
which is not really predictable (at least shouldn't be!).

Ihq.
(6729572) /Paul Starzetz <paul@starzetz.de>/(Ombruten)
Kommentar i text 6729755 av Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
6729755 2001-07-10 13:20 +0300  /31 rader/ Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-10  17:32  av Brevbäraren
Extern mottagare: Paul Starzetz <paul@starzetz.de>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17892>
Kommentar till text 6729572 av Paul Starzetz <paul@starzetz.de>
Ärende: Re: Tripwire temporary files
------------------------------------------------------------
From: Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
To: Paul Starzetz <paul@starzetz.de>
Cc: bugtraq@securityfocus.com
Message-ID: <20010710132041.C38666@messi.uku.fi>

On Tue, Jul 10, Paul Starzetz wrote:
> Jarno Huuskonen wrote:
> 
> >  I found out about the problem when I noticed a temporary file
> >  /tmp/twtempa19212 left in /tmp. Out of curiosity I ran the tripwire
> >  binary with strace and noticed that temporary files in /tmp are opened
> >  without the O_EXCL flag.
> 
> Here a strace from tripwire 1.2 (Source RPM: tripwire-1.2-223.src.rpm):
> 
> open("/tmp/twznG1Eud", O_RDWR|O_CREAT|O_TRUNC, 0666) = 4
> open("/tmp/twzd9tWqg", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
> open("/tmp/twzzykpkj", O_RDWR|O_CREAT, 0600) = 4
> 
> nowhere the current pid is used - instead a 6 byte template appears,
> which is not really predictable (at least shouldn't be!).

So that version of tripwire is not compiled with glibc that uses a
letter + pid as the unique/random part. I only mentioned that the
binary version of tripwire (2.2.1) avalaible from www.tripwire.com
does that.  But as you can see it doesn't use O_EXCL so if the
'random' file happens to be a symlink tripwire will overwrite files.

-Jarno
(6729755) /Jarno Huuskonen <Jarno.Huuskonen@uku.fi>/(Ombruten)