autobuse-angel.txt

`Hi,  
  
This weekend I decided to play around with a couple of network  
management tools on securityfocus.com; Angel  
(http://www.paganini.net/angel/,  
and Autobuse (http://www.picante.com/~gtaylor/download/. Unfortunately,  
upon review of the source, I noticed a bad trend. Both tools handle  
temporary files insecurely. For example:  
  
In Autobuse's main perl script, line 96:  
  
if(!$test_run) {  
open OUT, ">/tmp/autobuse_report.$$"  
or die "can't open /tmp/autobuse_report.$$";  
select OUT;  
}  
  
Simple symlink attack: make a link from a file that is writable to the  
user running the script to /tmp/autobuse_report.$$ (just brute force  
the .$$ part) to overwrite the linked file. Since a lot of users will  
be putting network managements scripts in root's crontab, this poses  
a significant risk to security.  
  
Variation of the same story in Angel.pl, line 504:  
  
sub timeexec  
{  
...  
my($tempfile) = "/tmp/timeexec.$$";  
$myproc = Proc::Simple->new();  
$myproc->start("$cmd >$tempfile 2>&1");  
...  
open (CDTEMP, "$tempfile") || return (-1, ());  
...  
  
The subroutine timeexec() is called by Angel's Check_ping.pl,  
Check_load.pl and Check_disk.pl plugin scripts like this:  
  
($ret, @output) = timeexec($Default_tries, $Default_timeout, $rcmdline);  
  
I looked around for some more perl/shell scripts on securityfocus that  
exhibited the same problem and found confcollect:  
  
#!/bin/sh  
VERSION=0.1d  
COPYRIGHT='1999 Eddie Olsson <[email protected]>'  
PATH=$PATH:/sbin  
# Ls instllningar i filen /etc/confcollect.conf  
[ -f /etc/confcollect.conf ] || exit 1  
. /etc/confcollect.conf  
CFILENAME=`hostname`.`date +"%Y%m%d"`.confcollect.tar.gz  
...  
tar zcf /tmp/$CFILENAME /etc 2>/dev/null  
  
Oh, I also noticed a vulnerable example script on my slack 7 box  
at /usr/lib/m4-examples/stackovf.sh:  
(yeah, yeah, I know, who is silly enough to run this stuff as r00t? :P )  
  
#!/bin/sh  
...  
tmpfile=/tmp/t.$$  
trap `rm -f $tmpfile; exit 1' 1 2 3 15  
...  
$M4 -L999999999 > $tmpfile 2>&1  
  
OH! OH! and a really cool program that a number of ppl I know run called  
root-portal (http://driftwood.draconic.com/root-portal) contains a number  
of scripts afflicted by the same bug!:  
  
#!/bin/sh  
cd /tmp  
...  
if test "${more_recent}" = "${half_hour_ago}"  
then  
mv -f recentnews.txt recentnews.txt.old > /dev/null  
wget -q http://freshmeat.net/backend/recentnews.txt  
if test ! -f /tmp/recentnews.txt  
then  
mv -f recentnews.txt.old recentnews.txt > /dev/null  
fi  
chmod a+rw recentnews.txt  
date '+%Y%j%H%M' > /tmp/freshmeat_read.timestamp  
chmod a+rw freshmeat_read.timestamp  
fi  
  
heh, forgot to mv freshmeat_read.timestamp too eh?  
Nice way to make certain files world writable!  
  
Lets all be a bit more careful next time shall we?  
  
Rule of thumb:  
  
- Create a more secure storage directory for your temporary files.  
mkdir /home/blah; chmod 600 /home/blah  
  
- Allow the user to easily customize this directory:  
$SECUREDIR = /home/blah  
  
- Check for the existence of your temporary file before you do anything  
with it:  
  
$SECUREDIR=/home/blah  
$tmpfile=$SECUREDIR/t.$$  
if [ -e $tmpfile ]; then  
echo -e "ERROR! : temporary file exists, erasing!\r\n"; rm -rf  
$tmpfile  
fi  
  
- If necessary, ensure that the file is not a symlink:  
if( -l $tmpfile ); then ...  
  
- John Daniele  
  
  
`