Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

> Not sure it is fixable, or maybe using a lock on the symbolic link
> while fetching its target (to be tested to be sure that such locks
> cannot be overridden from shell).

The easiest way is to just open the target with the O_NOFOLLOW flag to
avoid following symlinks and abort on failure.  If you need to support
systems that don't have this flag, then perhaps you could consider
using an application-specific temporary directory instead of operating
in the world-writable /tmp.

> >  Also, I don't see a reason why a hard link couldn't be used for exploitation
> > instead.
>
> Hard link are not detectable (lstat), they are treated like normal files.

Sure they are - just open the file, fstat() it, and check the st_nlink
field.  If it's more than one, you know there's hard linking going on.
 Sometimes this kind of check introduces a race condition of its own
where the file can be removed by the attacker after a file descriptor
is obtained but before the fstat(), but in this case since an attacker
would be creating a hard link to a victim's file, he wouldn't be able
to remove it since it's in a sticky-bit /tmp directory.

-Dan