lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 28 Apr 2007 18:25:01 -0400
From: Simson Garfinkel <simsong@....org>
To: Tim <tmorgan@...curity.com>
Cc: "George D. Gal" <ggal@...curity.com>,
	Brian Carrier <brianc@...istech.com>, bugtraq@...urityfocus.com
Subject: please retract CVE-2007-2056 "Time-of-Check-Time-of-Use File Race in AFFLIB"

Dear Tim,

Please issue a statement retracting your "security vulnerability"  
CV2-2007-2056.

Your alleged vulnerability in aimage is not a bug because the  
function getlock() is never called.

Although I appreciate the fact that you have done a security audit on  
my code, many of the bugs that you identified as "security  
vulnerabilities" were not vulnerabilities because there was no way to  
exploit them. And in this case, you have merely identified a bug in  
code that is not even callable.

I understand that it's exciting to get your name out there as a  
"security researcher," but I think that there are better targets from  
which to choose.

Sincerely,

Simson Garfinkel





                      Virtual Security Research, LLC.
                         http://www.vsecurity.com/
                             Security Advisory

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
=-=-=-=-

Advisory Name: Time-of-Check-Time-of-Use File Race in AFFLIB
Release Date: 2007-04-27
   Application: AFFLIB(TM)
      Versions: 2.2.0-2.2.8 and likely earlier versions.
      Severity: Low
        Author: Timothy D. Morgan <tmorgan {at} vsecurity {dot} com>
Vendor Status: Vendor Notified
CVE Candidate: CVE-2007-2056
     Reference:
          http://www.vsecurity.com/bulletins/advisories/2007/afflib- 
toctou.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
=-=-=-=-


Product Description:

 > From the forensicswiki.org website[1]:

   "The Advanced Forensics Format (AFF) is an extensible open format for
    the storage of disk images and related forensic metadata. It was
    developed by Simson Garfinkel and Basis Technology."

AFFLIB(TM) is the reference implementation of the AFF(TM) format,
written primarily by Simson Garfinkel.  It comes in the form of an open
source library and a set of command line tools used to manipulate
AFF(TM) files.



Vulnerability Overview:

In mid-March, 2007 Virtual Security Research, LLC (VSR) performed a
security code review of AFFLIB(TM) as a part of an internal tool
assessment process.  As a result, multiple vulnerabilities of varying
severities were discovered. The most significant of these
vulnerabilities are being announced publicly to raise awareness and help
end-users secure themselves against potential attack.

A time-of-check-time-of-use race was discovered in AFFLIB(TM) which
could allow an attacker on the local machine to overwrite an arbitrary
file.  Because the content of the file would not be controllable by an
attacker, it is unlikely that this is vulnerability is exploitable for
more than a denial-of-service.

This vulnerability remains in the latest version (2.2.8) despite several
notifications to the vendor.  All line numbers listed below are from
version 2.2.0.


Vulnerability Details:

File: aimage/aimage.cpp
Lines: 554-575
Platforms Affected: Unix

Description:
A mostly predictable name for the lockfile as it is created under
/tmp. An access check is first performed, and later the file is opened,
truncating if it already exists. Since the time of check and time of use
are not the same, a filesystem race could be exploited by a local
attacker through the use of a symlink. Lines 548-582 are included below
to illustrate the problem:

int getlock(class imager *im)
{
     /* If the file exists and the PID in the file is running,
      * can't get the lock.
      */
     char lockfile[MAXPATHLEN];
     sprintf(lockfile,"/tmp/aimge.%s.lock",im->infile);
     if(access(lockfile,F_OK)==0){
	/* Lockfile exists. Get it's pid */
	char buf[1024];
	FILE *f = fopen(lockfile,"r");
	if(!f){
	    perror(lockfile);		// can't read lockfile...
	    return -1;
	}
	fgets(buf,sizeof(buf),f);
	buf[sizeof(buf)-1] = 0;
	int pid = atoi(buf);
	if(checkpid(pid)==0){
	    /* PID is not running; we can delete the lockfile */
	    if(unlink(lockfile)){
		err(1,"could not delete lockfile %s: ",lockfile);
	    }
	}
	/* PID is running; generate error */
	errx(1,"%s is locked by process %d\n",im->infile,pid);
     }
     FILE *f = fopen(lockfile,"w");
     if(!f){
	err(1,lockfile);
     }
     fprintf(f,"%d\n",getpid());		// save our PID.
     fclose(f);
     return 0;
}

This is likely only exploitable for a denial-of-service condition, since
the attacker would have little control over the content being written
(the process ID of aimage).



Vendor Response:

Simson Garfinkel was first contacted on 2007-03-31. The following
timeline outlines the responses from the vendor regarding this issue:

2007-04-01 - Vendor provided details of all vulnerabilities
               identified.
2007-04-03 - Continued vendor communication.
2007-04-05 - Vendor released version 2.2.6, containing multiple
               security fixes.
2007-04-06 - Vendor notified VSR that fixes were released.
2007-04-09 - VSR notified vendor that 9 vulnerability instances still
               remained in latest release.
2007-04-12 - Vendor confirmed that remaining vulnerabilities would be
               fixed in next release.
2007-04-25 - Vendor released versions 2.2.7 and 2.2.8.  Vendor did not
               notify VSR.
2007-04-27 - VSR discovered new versions were released.  VSR inspected
               version 2.2.8 and found that no additional  
vulnerabilities
               were fixed.  VSR advisories published.


Recommendation:

AFFLIB(TM) users should upgrade to the newest version.  Third-party
projects which rely on AFFLIB(TM) should encourage users to upgrade,
and/or incorporate fixes into their distribution of the library.

The update is available via:

http://www.afflib.org/downloads/

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
=-=-=-=-

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following name to this issue.  This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

   CVE-2007-2056

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
=-=-=-=-

References:

1. AFF - Forensics Wiki
    http://www.forensicswiki.org/wiki/AFF

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
=-=-=-=-

This advisory is distributed for educational purposes only, and comes
with absolutely NO WARRANTY; not even the implied warranty of
merchantability or fitness for a particular purpose.  Virtual Security
Research, LLC nor the author accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
=-=-=-=-

Vulnerability Disclosure Policy:

   http://www.vsecurity.com/disclosurepolicy.html

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
=-=-=-=-

AFF(TM) and AFFLIB(TM) are trademarks of Simson Garfinkel and Basis
Technology Corp.

Included source code excerpts are copyright Simson Garfinkel and Basis
Technology Corp.

This advisory is copyright (C) 2007 Virtual Security Research, LLC. All
rights reserved.


Download attachment "smime.p7s" of type "application/pkcs7-signature" (2413 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ