SECURITY BUG: Symlink exploit in 2.6.8 ia64 build scripts

From: Dominik Vogt
Date: Tue Oct 05 2004 - 13:48:56 EST

Next message: Francois Romieu: "Re: Possible GPL Violation of Linux in Amstrad's E3 Videophone (me too???)"
Previous message: Hans Reiser: "Re: [PATCH 0/4] I/O Error Handling for ReiserFS v3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The 2.6.8 kernel sources (and earlier 2.6.x versions) are
susceptible to temporary filename attacks. In the arch/ia64
branch, there are several scripts that are vulnerable to known
temporary filename attacks:

scripts/check-gas
scripts/toolchain-flags
sn/runsim

All three write to temporary files named out$$, out$$.o or tmp.$$
where $$ is replaced with the process pid.

A local attacker can use symlinks to let the build processes
overwrite any file if they are executed as root.

Exploit script:

$ cd /tmp || exit 1
$ for i in `seq 32767`; do ln -s owned out.$i.o; done
$ cd <path_to_2.6.8 sources>
$ make ARCH=ia64

should demonstrate the problem, but I can't test it as I don't
have an ia64 cross compiler. However, I can see that, for
example, the line

gcc -c <path>/arch/ia64/scripts/check-gas-asm.S -o /tmp/out29763.o

is executed, and if I remove the contents of check-gas-asm.S, the
symlink attack does work (i.e. the file /tmp/owned is
overwritten).

Proposed fix:

Normally, I would fix that by using the mktemp command to generate
the temporary filenames, but I'm not sure that is acceptable for
the kernel:

umask 077
out=`mktemp "$tmp/outXXXXXXXX.o"` || exit 1

An alternate solution might be

umask 077
set -C

(Please CC me)

Ciao

Dominik ^_^ ^_^

--
Dominik Vogt, dominik.vogt@xxxxxx

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Francois Romieu: "Re: Possible GPL Violation of Linux in Amstrad's E3 Videophone (me too???)"
Previous message: Hans Reiser: "Re: [PATCH 0/4] I/O Error Handling for ReiserFS v3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]