TUCoPS :: Linux :: Apps A-M :: lnx5492.htm

Acroread symlink vulnerability via /tmp
27th Jun 2002 [SBWID-5492]
COMMAND

	Acroread symlink vulnerability via /tmp

SYSTEMS AFFECTED

	Acrobat Reader version "x86 linux 5.0.5 Apr  25  2002  11:55:36"  (Other
	UNIX versions probably also affected.)

PROBLEM

	Paul Szabo [http://www.maths.usyd.edu.au:8000/u/psz/] says :
	

	<--snapp-->
	

	Acroread creates or overwrites  the  file  /tmp/AdobeFnt06.lst.UID,  and
	changes its permissions  to  wide  open  (mode  666);  it  also  follows
	symlinks. The attack is obvious:
	

	  ln -s ~victim/.bashrc /tmp/AdobeFnt06.lst.VUID

	

	and wait for victim to use acroread; then we can write his .bashrc.
	

	<--snapp-->

SOLUTION

	 Patch (update 25 July 2002)

	 =====

	

	Get Acrobat reader 5.06
	

	

	 Workaround

	 ==========

	I use the following wrapper around acroread  (move  original  script  or
	binary to acroread.real, put this in its place). Use  TMPDIR,  but  also
	ensure file in /tmp is safe (in case writing in TMPDIR  fails  for  some
	reason: diskquota?). With file in /tmp, leaves no race with  the  open()
	in acroread, just a window of opportunity to mess with the data.
	

	#!/usr/bin/perl --

	

	$PROG = '/usr/share/Acrobat/505/bin/acroread.real';

	$TMPF = "/tmp/AdobeFnt06.lst.$<";

	$MYTD = "$ENV{'HOME'}/.acrobat";

	$MYTF = "$MYTD/AdobeFnt06.lst.$<";

	

	$ENV{'TMPDIR'} = $MYTD;

	

	use Fcntl;

	

	sub checkfix {

	  my ($nam, $msg) = @_;

	  ($dev,$ino,$mode,$nlink,$uid,$gid,@rest) = lstat( $nam );

	  ( -f _ and ! -l _ and ! -d _ ) or die "$msg: $nam is not a file\n";

	  # BEWARE: on some systems, $gid comes from directory

	  ( $uid == $< and $gid == $( ) or die "$msg: $nam is not your own\n";

	  ( $nlink == 1 ) or die "$msg: $nam has hardlinks\n";

	  chmod( 0600, $nam ) or die "$msg: cannot chmod $nam\n";

	}

	

	$< > 99 or die "No daemons\n";

	

	sysopen( F, $TMPF, O_RDWR|O_CREAT|O_EXCL, 0600 )

	  and close( F )

	  #and print "Pre-created $TMPF\n"

	  ;

	

	mkdir( $MYTD, 0700 )

	  #and print "Pre-created $MYTD\n"

	  ;

	sysopen( F, $MYTF, O_RDWR|O_CREAT|O_EXCL, 0600 )

	  and close( F )

	  #and print "Pre-created $MYTF\n"

	  ;

	

	&checkfix( $TMPF, "Tricked" );

	&checkfix( $MYTF, "Tricked" );

	system( $PROG, @ARGV );

	&checkfix( $TMPF, "After acroread" );

	&checkfix( $MYTF, "After acroread" );

	

	#!#

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH