lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <e4bfb83004df0af6042758755f6faa21@fbi.dhs.org>
Date: Thu, 01 Apr 2010 23:30:50 -0400
From: bugs lists <bugs@....dhs.org>
To: <full-disclosure@...ts.grok.org.uk>
Subject: FileCache: tmp file permission vulnerability.



FileCache: tmp file permission vulnerability.
Larry W. Cashdollar
Vapid Labs http://vapid.dhs.org
2/16/2010


Perl Cache-Cache-1.06 is a memory and file caching module for perl. It
stores its default file cache in /tmp with world read/write permissions. A
local attacker can use this cache to glean information from applications
using module. Regardless of weather the transaction is taking place over an
encrypted SSL session.

root@...-unix-sec01:/tmp# ls -l --color=no
total 200
drwxrwxrwx 3 root   root   4096 Feb 10 12:53 FileCache
root@...-unix-sec01:/tmp/FileCache/Default# ls -l --color=no
total 64
drwxrwxrwx 17 root root 4096 Feb 11 16:10 0
drwxrwxrwx 18 root root 4096 Feb 10 15:50 1
drwxrwxrwx 18 root root 4096 Feb 11 16:11 2
drwxrwxrwx 16 root root 4096 Feb 11 16:09 3
drwxrwxrwx 18 root root 4096 Feb 10 15:51 4
drwxrwxrwx 17 root root 4096 Feb 11 16:09 5
drwxrwxrwx 18 root root 4096 Feb 10 15:51 6
drwxrwxrwx 15 root root 4096 Feb 11 16:09 7
drwxrwxrwx 17 root root 4096 Feb 10 15:51 8
drwxrwxrwx 18 root root 4096 Feb 11 16:10 9
drwxrwxrwx 17 root root 4096 Feb 10 15:51 a
drwxrwxrwx 17 root root 4096 Feb 11 16:09 b
drwxrwxrwx 17 root root 4096 Feb 11 16:10 c
drwxrwxrwx 18 root root 4096 Feb 11 16:11 d
drwxrwxrwx 17 root root 4096 Feb 11 16:09 e
drwxrwxrwx 16 root root 4096 Feb 11 16:10 f
root@...-unix-sec01:/tmp/FileCache/Default/f/f/9# ls -l --color=no
total 64
-rw-r--r-- 1 root root  8035 Feb 12 08:39
ff9984b83c656ad4884e116bcf60fdca16be6483
-rw-r--r-- 1 root root 51521 Feb 12 08:37
ff9ebcc002b4067391f0baae96c3e23e8ef248a8
root@...-unix-sec01:/tmp/FileCache/Default/f/f/9# 
root@...-unix-sec01:/tmp/FileCache/Default/f/f/9# strings
ff9984b83c656ad4884e116bcf60fdca16be6483 |more
prod-mail-list02.example.com
Cache::Object
_Size	Kv
_Expires_At
_Key	KuZ
_Created_At
adduser-3.105ubuntu1
apache2-2.2.8-1ubuntu0.11
apache2.2-common-2.2.8-1ubuntu0.11
apache2-mpm-worker-2.2.8-1ubuntu0.11
apache2-utils-2.2.8-1ubuntu0.11
apt-0.7.9ubuntu17.2
aptitude-0.4.9-2ubuntu5
apt-utils-0.7.9ubuntu17.2
at-3.1.10ubuntu4
atsar-1.7-2
base-files-4.0.1ubuntu5.8.04.7
base-passwd-3.5.16


This can be fixed with a simple patch:

larry@...zil:~/Desktop/Cache-Cache-1.06/lib/Cache$ diff -Nur FileCache.pm
1
--- FileCache.pm        2009-02-28 19:53:14.000000000 -0500
+++ 1   2010-02-12 21:13:31.000000000 -0500
@@ -35,7 +35,7 @@
 # by default, the root of the cache is located in 'FileCache'.  On a
 # UNIX system, this will appear in "/tmp/FileCache/"

-my $DEFAULT_CACHE_ROOT = "FileCache";
+my $DEFAULT_CACHE_ROOT = qw(FileCache_) . $>;


 # by default, the directories in the cache on the filesystem should
@@ -43,7 +43,7 @@
 # potential security concern, the actual cache entries are written
 # with the user's umask, thus reducing the risk of cache poisoning

-my $DEFAULT_DIRECTORY_UMASK = 000;
+my $DEFAULT_DIRECTORY_UMASK = 077;


 sub Clear

Cache::cache is no longer being developed,
http://search.cpan.org/~jswartz/CHI-0.34/lib/CHI.pm should be used instead.
 


http://vapid.dhs.org/w/doku.php?id=perl_cache:cache_filecache_permissions_issue

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ