Vulnerability Development mailing list archives
Re: Tripwire temporary files
From: dynamo <dynamo () harvard net>
Date: Tue, 10 Jul 2001 10:02:44 -0400 (EDT)
On the older versions of tripwire, and likely before this patch, the easiest exploit was to symlink the temporary tripwire database back to the original tripwire database it was using to test against. If you raced it properly, it would cause tripwire not to see any changes at all. I was able to do this in a shell script for older releases -- but i didnt test against this most recent version. On Mon, 9 Jul 2001, Charles Stevenson wrote:
Jarno Huuskonen wrote:After that I looked at the tripwire sources and confirmed the problem. (See e.g. core/archive.cpp, core/unix/unixfsservices.cpp and tw/textreportviewer.cpp).If you noticed a few more lines down the file get's removed. -> TSTRING& cUnixFSServices::MakeTempFilename( TSTRING& strName ) const throw(eFSServices) -> { -> ... -> // create temp filename -> pchTempFileName = mktemp( szTemplate ); -> ... -> strName = pchTempFileName; -> ... -> -> // Linux creates the file!! Doh! -> // So I'll always attempt to delete it -bam -> FileDelete( strName ); -> -> return( strName ); -> } So it's going to be a really tight race since the file would have to be created just after FileDelete is called. -> void cLockedTemporaryFileArchive::OpenReadWrite( const TCHAR* filename, uint32 openFlags ) -> { -> ... -> // if filename is NULL, create a temp file for the caller -> if( filename == NULL ) -> { -> try -> { -> iFSServices::GetInstance()->GetTempDirName( strTempFile ); -> strTempFile += _T("twtempXXXXXX"); -> iFSServices::GetInstance()->MakeTempFilename( strTempFile ); -> ... -> // open file -> mCurrentFilename = filename ? filename : strTempFile.c_str(); -> mCurrentFile.Open( mCurrentFilename, flags ); -> ... -> } I've been trying to think of a way to exploit this. The only way I could foresee was if you could run an exploit as a cron timed with a tripwire cron run as root and the exploit would create a lot of symlinks right before tripwire runs which could allow creation of files as root but if the file get's removed then really what you'd need is a way to watch all the symlinks you've created and the instant one is removed create it again (run on sentence;). Any ideas? The patch should be to use mkstemp() if the OS is Linux. Best Regards, Charles Stevenson
Current thread:
- Re: Tripwire temporary files Charles Stevenson (Jul 10)
- Re: Tripwire temporary files dynamo (Jul 10)
- Re: Tripwire temporary files Ron DuFresne (Jul 12)
- Re: Tripwire temporary files Cy Schubert - ITSD Open Systems Group (Jul 12)
- Re: Tripwire temporary files Jarno Huuskonen (Jul 12)
- Re: Tripwire temporary files Cy Schubert - ITSD Open Systems Group (Jul 16)
- Re: Tripwire temporary files Jarno Huuskonen (Jul 12)