`Hi,
This weekend I decided to play around with a couple of network
management tools on securityfocus.com; Angel
(http://www.paganini.net/angel/,
and Autobuse (http://www.picante.com/~gtaylor/download/. Unfortunately,
upon review of the source, I noticed a bad trend. Both tools handle
temporary files insecurely. For example:
In Autobuse's main perl script, line 96:
if(!$test_run) {
open OUT, ">/tmp/autobuse_report.$$"
or die "can't open /tmp/autobuse_report.$$";
select OUT;
}
Simple symlink attack: make a link from a file that is writable to the
user running the script to /tmp/autobuse_report.$$ (just brute force
the .$$ part) to overwrite the linked file. Since a lot of users will
be putting network managements scripts in root's crontab, this poses
a significant risk to security.
Variation of the same story in Angel.pl, line 504:
sub timeexec
{
...
my($tempfile) = "/tmp/timeexec.$$";
$myproc = Proc::Simple->new();
$myproc->start("$cmd >$tempfile 2>&1");
...
open (CDTEMP, "$tempfile") || return (-1, ());
...
The subroutine timeexec() is called by Angel's Check_ping.pl,
Check_load.pl and Check_disk.pl plugin scripts like this:
($ret, @output) = timeexec($Default_tries, $Default_timeout, $rcmdline);
I looked around for some more perl/shell scripts on securityfocus that
exhibited the same problem and found confcollect:
#!/bin/sh
VERSION=0.1d
COPYRIGHT='1999 Eddie Olsson <[email protected]>'
PATH=$PATH:/sbin
# Ls instllningar i filen /etc/confcollect.conf
[ -f /etc/confcollect.conf ] || exit 1
. /etc/confcollect.conf
CFILENAME=`hostname`.`date +"%Y%m%d"`.confcollect.tar.gz
...
tar zcf /tmp/$CFILENAME /etc 2>/dev/null
Oh, I also noticed a vulnerable example script on my slack 7 box
at /usr/lib/m4-examples/stackovf.sh:
(yeah, yeah, I know, who is silly enough to run this stuff as r00t? :P )
#!/bin/sh
...
tmpfile=/tmp/t.$$
trap `rm -f $tmpfile; exit 1' 1 2 3 15
...
$M4 -L999999999 > $tmpfile 2>&1
OH! OH! and a really cool program that a number of ppl I know run called
root-portal (http://driftwood.draconic.com/root-portal) contains a number
of scripts afflicted by the same bug!:
#!/bin/sh
cd /tmp
...
if test "${more_recent}" = "${half_hour_ago}"
then
mv -f recentnews.txt recentnews.txt.old > /dev/null
wget -q http://freshmeat.net/backend/recentnews.txt
if test ! -f /tmp/recentnews.txt
then
mv -f recentnews.txt.old recentnews.txt > /dev/null
fi
chmod a+rw recentnews.txt
date '+%Y%j%H%M' > /tmp/freshmeat_read.timestamp
chmod a+rw freshmeat_read.timestamp
fi
heh, forgot to mv freshmeat_read.timestamp too eh?
Nice way to make certain files world writable!
Lets all be a bit more careful next time shall we?
Rule of thumb:
- Create a more secure storage directory for your temporary files.
mkdir /home/blah; chmod 600 /home/blah
- Allow the user to easily customize this directory:
$SECUREDIR = /home/blah
- Check for the existence of your temporary file before you do anything
with it:
$SECUREDIR=/home/blah
$tmpfile=$SECUREDIR/t.$$
if [ -e $tmpfile ]; then
echo -e "ERROR! : temporary file exists, erasing!\r\n"; rm -rf
$tmpfile
fi
- If necessary, ensure that the file is not a symlink:
if( -l $tmpfile ); then ...
- John Daniele
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation