lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 10 Apr 2005 03:09:52 +0100
From: Imran Ghory <imranghory@...il.com>
To: bugtraq@...urityfocus.com
Subject: rpdump TOCTOU file-permissions vulnerability


================================
rpdump TOCTOU file-permissions vulnerability
================================

Software: rpdump (part of the Pine mail package)
Version: Pine 4.62
Software URL: <http://www.washington.edu/pine/>
Platform:  Unix, Linux.
Vulnerability type: Time-of-Check-Time-Of-Use
Severity: Low
Attacker requires: local user account, write access to directory
rpdump used in (directories with sticky bits such as /tmp are
vulnerable).
Attack result: over-writing of arbitary file belonging to user

Vulnerable software
====================

rpdump included with Pine 4.62 and previous versions running on unix.

Vulnerability
==============

rpdump checks the local file it is creating doesn't already exist
using the following code in rcdump.c:

    if(access(local, ACCESS_EXISTS) == 0){
	if(access(local, WRITE_ACCESS) == 0){

	    sprintf(buf, "Local file \"%.20s\" exists, overwrite it",
		    (p = last_cmpnt(local)) ? p : local);
	    if(wantto(buf, 'n', 'n') != 'y'){
		fprintf(stderr, "Dump cancelled\n");
		exit(-1);
	    }
	}
	else{
	    fprintf(stderr, "Local file \"%s\" is not writable\n", local);
	    exit(-1);
	}
    }

However it then engages in network operations to access remote files
on an IMAP server before eventually calling fopen(local, "w"). This
time-period presents an opportunity for an attacker to create a
symbolic link that points to an arbitary file owned by the user which
will then be overwritten.

Workaround 
===========

Ensure that any directory which is the local destination for rpdump is
only writeable by the user.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ