TUCoPS :: Unix :: General :: sb5917.htm

S-plus /tmp race condition
7th Jan 2003 [SBWID-5917]
COMMAND

	S-plus /tmp race condition

SYSTEMS AFFECTED

	splus 6.0

PROBLEM

	Paul                    Szabo                    [psz@maths.usyd.edu.au]
	[http://www.maths.usyd.edu.au:8000/u/psz/] says :
	
	The main Sqpe binary, and various shell script  modules,  use  files  in
	/tmp:
	
	splus/6.0/cmd/Sqpe
		Clobbers /tmp/__F$$:
		open("/tmp/__F8499", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
	
	splus/6.0/cmd/PRINT
		Clobbers /tmp/PRINT.$$.out
	
	splus/6.0/cmd/mustfix.hlinks
		Clobbers /tmp/SUBST$PID.TXT /tmp/ed.cmds$PID
	
	splus/6.0/cmd/sas_get
		May clobber and use /tmp/file.1 /tmp/file.2
	
	splus/6.0/cmd/sas_vars
		May clobber and use /tmp/file.1
	
	splus/6.0/cmd/sgml2html
		Clobbers /tmp/sgml2html$$tmp /tmp/sgml2html$$tmp1 /tmp/sgml2html$$tmp2
	
	Suppose an attacker creates a symlink from any of the "clobbered"  files
	to one owned by the victim: guesses the PID that will be used, does
	
	  ln -s ~victim/.profile /tmp/__F123
	
	and waits for the victim to use Splus, then the victim's  .profile  will
	be trashed. Some or all of  these  attacks  may  then  be  escalated  to
	arbitrary command execution; if root ever uses Splus then the damage  is
	much greater.
	
	It might be argued that it is hard to guess what PID will be used  next.
	It is easy enough to create a few thousand symlinks  with  likely  PIDs;
	in fact the attacker could create a symlink for every possible  PID  (as
	these normally range from 0 to 32k or 64k).

SOLUTION

	 WORKAROUND/PATCH
	 ================
	
	The scripts could  be  patched  trivially  using  one  of  the  textbook
	methods, e.g. using a safe directory:
	
	  mkdir -m 700 /tmp/mydir$$ || exit 1
	  ... do things to /tmp/mydir$$/myfile ...
	  rm -rf /tmp/mydir$$
	
	Fixing Sqpe is harder. Could (safely) pre-create /tmp/__F$$ e.g.:
	
	*** splus/6.0/cmd/NEW.old	Tue Oct 10 16:06:37 2000
	--- splus/6.0/cmd/NEW	Tue Dec 24 09:15:59 2002
	***************
	*** 9,13 ****
	--- 9,19 ----
	  then
	  	echo $target not found; exit 1
	  fi
	+ set -e
	+ umask 077
	+ mkdir /tmp/F$$
	+ touch /tmp/F$$/__F$$
	+ mv -i /tmp/F$$/__F$$ /tmp </dev/null
	+ rmdir /tmp/F$$
	  exec $target
	  
	but Sqpe would still be open to  races  as  it  repeatedly  open()s  and
	unlink()s that file. A proper fix will have to come from the vendor.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH