[38312] in bugtraq
rpdump TOCTOU file-permissions vulnerability
daemon@ATHENA.MIT.EDU (Imran Ghory)
Mon Apr 11 18:48:27 2005
Message-ID: <7389fc4b05040919094ac1d3e2@mail.gmail.com>
Date: Sun, 10 Apr 2005 03:09:52 +0100
From: Imran Ghory <imranghory@gmail.com>
Reply-To: Imran Ghory <imranghory@gmail.com>
To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
================================
rpdump TOCTOU file-permissions vulnerability
================================
Software: rpdump (part of the Pine mail package)
Version: Pine 4.62
Software URL: <http://www.washington.edu/pine/>
Platform: Unix, Linux.
Vulnerability type: Time-of-Check-Time-Of-Use
Severity: Low
Attacker requires: local user account, write access to directory
rpdump used in (directories with sticky bits such as /tmp are
vulnerable).
Attack result: over-writing of arbitary file belonging to user
Vulnerable software
====================
rpdump included with Pine 4.62 and previous versions running on unix.
Vulnerability
==============
rpdump checks the local file it is creating doesn't already exist
using the following code in rcdump.c:
if(access(local, ACCESS_EXISTS) == 0){
if(access(local, WRITE_ACCESS) == 0){
sprintf(buf, "Local file \"%.20s\" exists, overwrite it",
(p = last_cmpnt(local)) ? p : local);
if(wantto(buf, 'n', 'n') != 'y'){
fprintf(stderr, "Dump cancelled\n");
exit(-1);
}
}
else{
fprintf(stderr, "Local file \"%s\" is not writable\n", local);
exit(-1);
}
}
However it then engages in network operations to access remote files
on an IMAP server before eventually calling fopen(local, "w"). This
time-period presents an opportunity for an attacker to create a
symbolic link that points to an arbitary file owned by the user which
will then be overwritten.
Workaround
===========
Ensure that any directory which is the local destination for rpdump is
only writeable by the user.
