Vulnerability Development mailing list archives
Re: Tripwire temporary files
From: Ron DuFresne <dufresne () winternet com>
Date: Tue, 10 Jul 2001 16:36:09 -0500 (CDT)
On Mon, 9 Jul 2001, Charles Stevenson wrote:
Jarno Huuskonen wrote:After that I looked at the tripwire sources and confirmed the problem. (See e.g. core/archive.cpp, core/unix/unixfsservices.cpp and tw/textreportviewer.cpp).If you noticed a few more lines down the file get's removed.
Unless the tripwire process is halted for some reason, like a system crash, or reboot during the run, etc. In those cases the temp file<s> are left untouched. Thanks, Ron DuFresne
-> TSTRING& cUnixFSServices::MakeTempFilename( TSTRING& strName ) const throw(eFSServices) -> { -> ... -> // create temp filename -> pchTempFileName = mktemp( szTemplate ); -> ... -> strName = pchTempFileName; -> ... -> -> // Linux creates the file!! Doh! -> // So I'll always attempt to delete it -bam -> FileDelete( strName ); -> -> return( strName ); -> } So it's going to be a really tight race since the file would have to be created just after FileDelete is called. -> void cLockedTemporaryFileArchive::OpenReadWrite( const TCHAR* filename, uint32 openFlags ) -> { -> ... -> // if filename is NULL, create a temp file for the caller -> if( filename == NULL ) -> { -> try -> { -> iFSServices::GetInstance()->GetTempDirName( strTempFile ); -> strTempFile += _T("twtempXXXXXX"); -> iFSServices::GetInstance()->MakeTempFilename( strTempFile ); -> ... -> // open file -> mCurrentFilename = filename ? filename : strTempFile.c_str(); -> mCurrentFile.Open( mCurrentFilename, flags ); -> ... -> } I've been trying to think of a way to exploit this. The only way I could foresee was if you could run an exploit as a cron timed with a tripwire cron run as root and the exploit would create a lot of symlinks right before tripwire runs which could allow creation of files as root but if the file get's removed then really what you'd need is a way to watch all the symlinks you've created and the instant one is removed create it again (run on sentence;). Any ideas? The patch should be to use mkstemp() if the OS is Linux. Best Regards, Charles Stevenson
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Current thread:
- Re: Tripwire temporary files Charles Stevenson (Jul 10)
- Re: Tripwire temporary files dynamo (Jul 10)
- Re: Tripwire temporary files Ron DuFresne (Jul 12)
- Re: Tripwire temporary files Cy Schubert - ITSD Open Systems Group (Jul 12)
- Re: Tripwire temporary files Jarno Huuskonen (Jul 12)
- Re: Tripwire temporary files Cy Schubert - ITSD Open Systems Group (Jul 16)
- Re: Tripwire temporary files Jarno Huuskonen (Jul 12)