Full Disclosure mailing list archives
Re: Mathematica8.0.4 on Linux /tmp/MathLink vulnerability
From: paul.szabo () sydney edu au
Date: Tue, 17 Apr 2012 06:51:20 +1000
Dear Vikram,
Mathematica on Linux uses the /tmp/MathLink directory in insecure ways. Mathematica creates or re-uses an existing /tmp/MathLink directory, and overwrites files within and follows symlinks. ...One quick fix here could be to change user permissions with chmod or add a new group where Mathematica in /tmp doesn't have permissions to anything under /home so then even if a user is compromised, the symlink won't work because the user doesn't have permissions. A root user here is an entirely different problem, here an attacker can symlink to any directory. So a new group to setup permissions for Mathemtica /tmp access would be a better idea. Will look into a patch soon.
My ideas for a fix, so far: It is tempting to add O_NOFOLLOW to the relevant open() calls, maybe by changing the string "open" to something else: perl -i.bak -pe 's/open/PSzO/g' SystemFiles/Libraries/Linux*/libML*.so and LD_PRELOAD a library built from something like #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> int PSzO(const char *pathname, int flags, mode_t mode) { return open(pathname, flags|O_NOFOLLOW, mode); } but that would not work: I believe those files in /tmp/MathLink allow other processes to send commands to the running Mathematica session, possibly including shell escapes. The fix might be to make the directory in /tmp private to the user, naming it /tmp/MathLink-$USER and checking it has right owner and "chmod 0700" permissions. That fix will need to be implemented by Wolfram. Cheers, Paul Paul Szabo psz () maths usyd edu au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Mathematica8.0.4 on Linux /tmp/MathLink vulnerability paul . szabo (Apr 14)
- Re: Mathematica8.0.4 on Linux /tmp/MathLink vulnerability Vikram Dhillon (Apr 17)
- Re: Mathematica8.0.4 on Linux /tmp/MathLink vulnerability paul . szabo (Apr 16)
- Re: Mathematica8.0.4 on Linux /tmp/MathLink vulnerability Vikram Dhillon (Apr 17)