[13255] in bugtraq
Re: Symlinks and Cryogenic Sleep
daemon@ATHENA.MIT.EDU (Marc Heuse)
Wed Jan 5 17:10:39 2000
Message-Id: <20000105095724.9351.qmail@securityfocus.com>
Date: Wed, 5 Jan 2000 09:57:24 -0000
Reply-To: Marc Heuse <mheuse@KPMG.COM>
From: Marc Heuse <mheuse@KPMG.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3.0.5.32.20000104121119.038a5ea0@mail>
Hi,
>>when you're dealing with files in /tmp that are supposed to be re-opened
>>(rather than opened once and then discarded) there's an established
>>way to do it which goes like this:
[...]
>I did something that way:
oh, not a good idea:
>FILE *DoOpen(const char *cpFile, long bAppend)
>{
> FILE *spNew;
> FILE *spTest;
> struct stat sStat;
>
> spTest = fopen(cpFile,"a");
> if (!spTest)
> {
> Log("ERR FILE OPEN",cpFile);
> return NULL;
> }
man fopen says about "a" (append mode):
the file is created, if it does not exist.
make cpFile a symlink to anything, and your function will create it (e.g. /etc/nologin).
> if (lstat(cpFile,&sStat))
> {
> Log("ERR STAT",cpFile);
> return NULL;
> }
> if ((sStat.st_mode & S_IFMT) == S_IFLNK)
> {
> fclose(spTest);
> Log("ERR ISLINK",cpFile);
> return NULL;
> }
now, if cpFile is a hardlink to e.g. /etc/passwd, this won4t help.
and even better: you4ve got the same race condition which Olaf describes, but the other way around. If the attacker creates the symlink before your fopen() call and before you do the lstat, he removes/renames it and creates a regular file, boom ...
> if (bAppend)
> spNew = spTest;
[... etc. the rest of the code is not relevant to security]
>Comments ?
>Improvements ?
well, it4s insecure... :-(
I also posted a reply some hours ago to bugtraq with my proposed algorythm to eliminate the race condition. I sent it from marc@suse.de ... well, might take some time until it4s approved (but probably faster than this one ;-)
Greets,
Marc
Please note that all statements here are my own opinions and do not reflect any point of view of the company where I work at...
