lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200506070641.j576fm8Y020825@linus.mitre.org>
Date: Tue Jun  7 07:41:56 2005
From: coley at mitre.org (coley@...re.org)
Subject: Second-Order Symlink Vulnerabilities


Introduction
------------

Recently, Eric Romang of ZATAZ Audits reported several symlink issues
that are different than the usual symlink vulnerabilities [1] [2].
There are probably a large number of applications that are safe with
respect to traditional symlink problems, but vulnerable to this
particular variant.

Specifically, the problem arises when one program, "PARENT," invokes
another program, "CHILD," in which:

  - the CHILD has a "standalone" design, i.e. its normal mode of
    operation is to be run by an interactive user, or a script on
    behalf of the user.

  - the CHILD does not run with more privileges than the user that
    invokes it, e.g. it is not setuid.

  - the CHILD program assumes that the user calling the program has
    control over all files that are specified as arguments, i.e. the
    specified filenames are trusted.

  - the CHILD program follows symlinks.

  - the PARENT uses filenames that are passed as arguments to the
    CHILD.

  - the filenames as used by the PARENT are:
    - controllable, or predictable, by the attacker, and
    - in a directory that's writable by the attacker;

The attacker could then use a symlink attack on the filename arguments
that the PARENT passes to the CHILD.

This variant might be referred to as a "Second Order Symlink
Vulnerability," with apologies to NGS Software [3] for my slightly
different usage of the "second order" term.


Discussion
----------

Note that the four conditions for the CHILD, if treated alone, are not
normally regarded as a security vulnerability: there aren't any
privilege boundaries being crossed, and the filenames are under the
control of the user.

It's the interaction between the PARENT and the CHILD that becomes the
problem.  There is a strong argument that it is the PARENT's
responsibility to protect against the second-order symlink
vulnerability, since "fixing" the child could significantly reduce
functionality in common standalone uses.  However, there may be some
cases in which the PARENT does not have intrinsic knowledge of which
CHILD will be invoked at runtime.

Note that from the CHILD's perspective, the attack vectors do NOT
involve temporary files.

Current code scanning tools may not locate second-order symlink
vulnerabilities when scanning the PARENT, because the affected
fopen/create/etc. function call may not be in the PARENT at all, but
in the CHILD.



Examples
--------

Romang's reports for everybuddy and LutelWall both deal with the case
in which wget is the CHILD, and the PARENT specifies an output file to
wget using the "-O" argument.

It must be emphasized that the vulnerability is NOT in wget; as
previously discussed, it is in the interaction between wget and the
process that invokes it.


For LutelWall, we have:

  echo `wget -C off -O $tmp-newfeat -q -t 1 -T 3 -w 3
  http://firewall.lutel.pl/FEATURES-${new_ver}`

For everybuddy, we have:

  258   g_snprintf(buf, 2048, "rm /tmp/.eb.%s.translator -f ; wget -O \
     /tmp/.eb.%s.translator \
  'http://world.altavista.com/sites/gben/pos/babelfish/tr?tt=urltext&lp=%s_%s&urltext=%s'",
  259     getenv("USER"), getenv("USER"), from, to, string);
  ...
  ...
  263   if(system(buf)!=0)  




References
----------


[1] "everybuddy <= 0.4.3 insecure temporary file creation"
    Bugtraq mailing list, June 6, 2005
    http://marc.theaimsgroup.com/?l=bugtraq&m=111809118405393&w=2
    http://www.zataz.net/adviso/everybuddy-06062005.txt

[2] "LutelWall <= 0.97 insecure temporary file creation"
    Full-Disclosure mailing list, June 6, 2005
    http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034424.html
    http://www.zataz.net/adviso/lutelwall-05222005.txt

[3] "Second Order Code Injection Attacks"
    NGS Software
    http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ