lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8671.1327334563@turing-police.cc.vt.edu>
Date: Mon, 23 Jan 2012 11:02:43 -0500
From: Valdis.Kletnieks@...edu
To: "Larry W. Cashdollar" <larry0@...com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: usb_modeswitch/pppd -detach

On Sun, 22 Jan 2012 02:38:57 GMT, "Larry W. Cashdollar" said:

> This is still a race condition since the pid can be guessed easily as well.  It's better to use mktemp /tmp/debug.XXXXXXXXXX.

No, that's *still* beatable, because if you know what the PID will be you can
guess what the XXXX will be filled in with (it's basically just salted with the
contents of the target directory, so anybody who can do a readdir() and can
guess the pid can predict the value).  What you *want* to do is read the mktemp
documentation and find this example on how to put the file into a securely
created subdirectory rather than directly in /tmp:

   * Create a secure fifo relative to the user's choice of `TMPDIR',
     but falling back to the current directory rather than `/tmp'.
     Note that `mktemp' does not create fifos, but can create a secure
     directory in which the fifo can live.  Exit the shell if the
     directory or fifo could not be created.
          $ dir=$(mktemp -p "${TMPDIR:-.}" -d dir-XXXX) || exit 1
          $ fifo=$dir/fifo
          $ mkfifo "$fifo" || { rmdir "$dir"; exit 1; }

(The -d option creates a subdirectory.  Unlike open() or creat() of a normal
file, which will chase a symlink if it exists, the mkdir() system call will
fail with EEXIST if there's a symlink waiting there.  And once you have a mode
700 directory owned by yourself, it's kind of hard for the attacker to drop a
symlink into there behind your back).


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ