Tripwire vulnerable to arbitrary file overwriting via symlink redirection of temporary file

Overview

Tripwire is a file integrity verification utility for Unix and Linux operating systems. In some implementations, tripwire opens insecure temporary files with predictable names in publically-writable directories. Using a symbolic link attack, a local intruder may overwrite or create arbitrary files on machines running tripwire.

Description

Tripwire opens temporary files in /tmp using predictable names without first checking for prior existence or ownership of these files. The files are opened when building or updating tripwire’s database of file checksums.

---

Impact

By creating symbolic links with appropriate names within a very tight time window, a local attacker may be able to redirect the data sent to the temporary file to arbitrary files on machines running tripwire. Since tripwire normally is executed by the system administrator, file protections will not apply. The file overwrite may result in disabling of system services, crashing the machine, or disabling of system protections.

---

Solution

Apply vendor patches; see the Systems Affected section below.

---

Clear /tmp prior to execution of tripwire.

---

Vendor Information

349019

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

MandrakeSoft __ Affected

Notified: July 09, 2001 Updated: September 27, 2001

Status

Affected

Vendor Statement

<http://www.linuxsecurity.com/advisories/mandrake_advisory-1502.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23349019 Feedback>).

Tripwire __ Affected

Notified: October 09, 2001 Updated: October 29, 2001

Status

Affected

Vendor Statement

The vulnerability exists in Tripwire versions prior to 2.4.0 and commercial customers should be encouraged to upgrade to the most current shipping product, version 2.4.2. Open Source and ASR users should upgrade to Open Source version 2.3.1-2 or later (see ``<http://www.sourceforge.net/projects/tripwire>`` for the latest information) or apply the documented code fixes to their particular release and recompile. In version Commercial 2.4.x and Open Source 2.3.1-2, the O_EXCL flag is used when opening temporary files, to insure the temporary file does not already exist, thus making the exploit much more difficult.

In version, 2.4.0 and greater, we have implemented a variable that allows a user to specify a Tripwire specific temp directory whose permissions can be set to only be writeable by tripwire (typically run as root). The traditional /tmp directory is writeable by world which enables the various exploits. Setting TEMPDIRECTORY to a directory whose permissions are closely controlled removes any possibility of a non-root user using temp directory exploits to modify tripwire behavior.
Tripwire, Inc. has been actively developing a commercial version of Tripwire for Servers which is fully verified and maintained for a wide variety of hardware and software platforms. We recommend the use of Tripwire's commercial software in any environment where secure, supported, commercial quality software is required. For more information about Tripwire's commercial data and network integrity solutions, go to www.tripwire.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23349019 Feedback>).

sourceforge __ Affected

Notified: January 16, 2001 Updated: September 27, 2001

Status

Affected

Vendor Statement

corrected version available at <http://sourceforge.net/projects/tripwire/>.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23349019 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://sourceforge.net/projects/tripwire/&gt;
• <http://www.tripwire.com>
• <http://securityfocus.com/bid/3003&gt;
• <http://www.linuxsecurity.com/advisories/mandrake_advisory-1502.html&gt;

Acknowledgements

This vulnerability was first discovered by Jamo Huuskonen.

This document was last modified by Tim Shimeall.

Other Information

CVE IDs:	CVE-2001-0774
Severity Metric:	5.85 Date Public: