[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY104-F1AF03C5807E456DE40F70C8D20@phx.gbl>
Date: Sun Jul 17 18:09:56 2005
From: badpenguin79 at hotmail.com (Giovanni Delvecchio)
Subject: [ZH2005-16SA] Skype for Linux: Insecure temporary
file creation
[ZH2005-16SA] Skype for Linux: Insecure temporary file creation * UPDATE
17th July 2005
Application: Skype for Linux
Version affected: <= 1.1.0.20
Vendor website : http://www.skype.com
Author: Giovanni Delvecchio
e-mail: badpenguin@...e-h.org
About Skype
========
Skype is a free program that uses the latest P2P technology to bring
affordable and high-quality voice communications to people all over the
world.It also provides a service of Instant Messaging.
Details
====
Each user has his own profile which can be personalized with a picture. When
a user adds a picture for his profile, Skype creates in /tmp directory a
file named "skype_profile.jpg" in an insecure manner, without checking if
the file already exists and if it's a symbolic link.
-----------------------------------------------------------------------------------------------------------------------------------------
bad at badpenguin:~/skype-1.1.0.20$ strace -e trace=open skype
.
.
open("/home/bad/image.jpg", O_RDONLY|O_LARGEFILE) = 21 // picture chosen by
user
open("/tmp/skype_profile.jpg", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) =
23 // insecure temporary file creation (it should use O_EXCL or O_NOFOLLOW
flag)
.
.
------------------------------------------------------------------------------------------------------------------------------------------
This could represent a security problem in a multi-user environment because
usually /tmp directory is "world-writable".
Indeed, such problem could be exploited by a malicious local user via
symlink attack to overwrite arbitrary files with the privileges of the user
that running Skype.
Example:
ln -s file_to_overwrite /tmp/skype_profile.jpg
When the user will add a picture for his profile , the file symlinked by
attacker will be overwritten with the file content that the user has chosen
to update his profile.
In certain conditions a privilege escalation is possible.
An example of privilege escalation exploiting this type of vulnerability is
the following:
from http://www.securityfocus.com/archive/82/327361/2003-06-29/2003-07-05/0
:
"Starting release 9, Red Hat ships and uses pam_timestamp_check.so module
(accompanied by /sbin/pam_timestamp_check setuid helper), a part of the
new pam-0.75 (Pluggable Authentication Modules) package. PAM is a generic
centralized authentication and session management component that is also
shipped by an increasing number of other distributions, so it is
reasonable that the code is about to propagate to other distros.
The module mentioned implements a credential caching functionality, very
closely inspired on a tty ticketing system used in sudo.
The way the module works(and sudo), in essence, is that it gets current
pseudo-terminal name A, current user name B, and the user for which
credentials are cached, C (usually root for Red Hat applications, user
himself for sudo). Then the code checks for /var/run/sudo/B/A:C (or
/var/run/sudo/B/A if B == C), and if the file is recent (regardless of its
content), the module returns success, and enables the user to skip the usual
password authentication.
Since there's no check for file origin, it should be more than obvious that
suddenly, any insecure file creation problem in an application used by a
superuser,it is possible to spoof a ticket in /var/run and bypass root
password prompt and other checks, and perform administrative tasks, easily
modifying system config, installing custom components (say, a rootshell),
etc. All this by crafting a single symlink that is later opened with O_CREAT
with
no O_EXCL or O_NOFOLLOW."
Example:
----------------------------------------------------------------------------------------
#!/bin/sh
#get current terminal number from /dev/pts/xx
terminal_number=`tty | cut -f4 -d '/'`
user_ticket=$USER/$terminal_number:root
ln -s /var/run/sudo/$user_ticket /tmp/skype_profile.jpg
---------------------------------------------------------------------------------------------
Solution
=====
No fix available at the moment;
Grant only trusted users writing access to /tmp directory .
Timeline
=====
April 7th 2005 - bug dicovered
April 8th 2005 - Skype contacted by security at skype.net
April 14th 2005 - 1st Response from Skype:
"Thank you for the email, we will pass it on to our developers.
Regards,
Andres"
May 25th 2005 - Skype for Linux version 1.1.0.13 released, the problem is
present again.
May 27th 2005 - Skype re-contacted by security at skype.net
May 27th 2005 - 2nd Response from Skype:
"Giovanni, Thank you for the email again. I've spoken to our Linux
developers and they assure me this will be fixed in the next version and
they are considering posting an immediate advisory.
Again, your help is appreciated.
Regards,
Andres"
July 5th 2005 - Skype for Linux version 1.1.0.20 released, but the bug
hasn't
been fixed.
July 15th 2005 - Public advisory
Author's Note
========
Although this type of vulnerability isn't a problem for a single desktop
user, instead it could represent a problem in a multi user environment.
For example, Skype is used by many companies with some hundred of employees,
and in such environment several users have an access on an host, locally or
remotely . Any user,even with low privileges, could exploit this type
vulnerabily to overwrite or create arbitrary files with the privileges of
the user that running Skype, and in certain case conduct a privilege
escalation.
A study made by CERT (Computer Emergency Response Team) called ITS (Insider
Thread Study) shows like many times the incidents in companies are
pepetrated by insider (eg. current or former employees ).
So, i think that in these conditions this bug may represent a security
problem , and Skype should fix it quickly.
Reference
======
http://www.zone-h.org/advisories/read/id=7808
_________________________________________________________________
Comunica in tempo reale http://messenger.msn.com/beta
Powered by blists - more mailing lists