[11516] in bugtraq
Re: Insecure use of file in /tmp by trn
daemon@ATHENA.MIT.EDU (Martin Schulze)
Wed Aug 25 21:23:09 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990823103521.G29569@finlandia.infodrom.north.de>
Date: Mon, 23 Aug 1999 10:35:21 +0200
Reply-To: Martin Schulze <joey@infodrom.north.de>
From: Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
X-To: Rogier Wolff <R.E.Wolff@BitWizard.nl>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199908230649.IAA00424@cave.BitWizard.nl>; from Rogier Wolff on
Mon, Aug 23, 1999 at 08:49:24AM +0200
Rogier Wolff wrote:
> > > > This was not intentional by the author, he tried to use tempfile(1) to
> > > > create the temporary filename. However, due to a thinko, the name was
> > > > hardcoded into the script.
> > > [...]
> > > > +#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$"
> > >
> > > So now you're using tempfile? This usually yields an easily
> >
> > No, but now we're using tempfile in a proper way. In the original source
> > code it was used like:
> >
> > NNTPactive=`tempfile -p active`
>
> This is what I meant. You've made it just a teeny bit harder to exploit,
> but the same expoit is still there.
>
> 10 years ago, this solution would've been adequate. Nowadays everbody
> should know that this is very hard to get right. Mover the "bad guys"
> already have the exploit programs ready.
>
> Creating a tempfile from a C program is possible since we have a
> mkstmp call. It is sufficiently tricky that I wouldn't dare
I'm sorry, but I don't understand. tempfile is a C program that creates
a tempfile.
DESCRIPTION
tempfile creates a temporary file in a safe manner. It
uses tempnam(3) to choose the name and opens it with
O_RDWR | O_CREAT | O_EXCL. The filename is printed on
standard output.
> replicating the functionality myself. Creating a private directory in
> /tmp and putting the tempfiles in there might be the only solution for
> shell scripts.
In which case you only make things more difficult to exploit, since such
a directory would be guessable as well as a tempfilename would, same for
the file inside of it.
Regards,
Joey
--
Whenever you meet yourself you're in a time loop or in front of a mirror.
