Tempfile vulnerabilities

[foo () BLACKLISTED INTRANOVA NET (foo)]

Hi,

This weekend I decided to play around with a couple of network
management tools on securityfocus.com; Angel
(http://www.paganini.net/angel/,
and Autobuse (http://www.picante.com/~gtaylor/download/. Unfortunately,
upon review of the source, I noticed a bad trend. Both tools handle
temporary files insecurely. For example:

In Autobuse's main perl script, line 96:

        if(!$test_run) {
                open OUT, ">/tmp/autobuse_report.$$"
                        or die "can't open /tmp/autobuse_report.$$";
                select OUT;
        }

Simple symlink attack: make a link from a file that is writable to the
user running the script to /tmp/autobuse_report.$$ (just brute force
the .$$ part) to overwrite the linked file. Since a lot of users will
be putting network managements scripts in root's crontab, this poses
a significant risk to security.

Variation of the same story in Angel.pl, line 504:

         sub timeexec
        {
                ...
                my($tempfile) = "/tmp/timeexec.$$";
                $myproc = Proc::Simple->new();
                $myproc->start("$cmd >$tempfile 2>&1");
                ...
                open (CDTEMP, "$tempfile") || return (-1, ());
                ...

The subroutine timeexec() is called by Angel's Check_ping.pl,
Check_load.pl and Check_disk.pl plugin scripts like this:

($ret, @output) = timeexec($Default_tries, $Default_timeout, $rcmdline);

I looked around for some more perl/shell scripts on securityfocus that
exhibited the same problem and found confcollect:

#!/bin/sh
VERSION=0.1d
COPYRIGHT='1999 Eddie Olsson <ewt () skagelund com>'
PATH=$PATH:/sbin
# Ls instllningar i filen /etc/confcollect.conf
[ -f /etc/confcollect.conf ] || exit 1
. /etc/confcollect.conf
CFILENAME=`hostname`.`date +"%Y%m%d"`.confcollect.tar.gz
...
tar zcf /tmp/$CFILENAME /etc 2>/dev/null

Oh, I also noticed a vulnerable example script on my slack 7 box
at /usr/lib/m4-examples/stackovf.sh:
(yeah, yeah, I know, who is silly enough to run this stuff as r00t? :P )

#!/bin/sh
...
tmpfile=/tmp/t.$$
trap `rm -f $tmpfile; exit 1' 1 2 3 15
...
$M4 -L999999999 > $tmpfile 2>&1

OH! OH! and a really cool program that a number of ppl I know run called
root-portal (http://driftwood.draconic.com/root-portal) contains a number
of scripts afflicted by the same bug!:

#!/bin/sh
cd /tmp
...
if test "${more_recent}" = "${half_hour_ago}"
then
        mv -f recentnews.txt recentnews.txt.old > /dev/null
        wget -q http://freshmeat.net/backend/recentnews.txt
        if test ! -f /tmp/recentnews.txt
        then
                mv -f recentnews.txt.old recentnews.txt > /dev/null
        fi
        chmod a+rw recentnews.txt
        date '+%Y%j%H%M' > /tmp/freshmeat_read.timestamp
        chmod a+rw freshmeat_read.timestamp
fi

heh, forgot to mv freshmeat_read.timestamp too eh?
Nice way to make certain files world writable!

Lets all be a bit more careful next time shall we?

Rule of thumb:

- Create a more secure storage directory for your temporary files.
  mkdir /home/blah; chmod 600 /home/blah

- Allow the user to easily customize this directory:
  $SECUREDIR = /home/blah

- Check for the existence of your temporary file before you do anything
with it:

$SECUREDIR=/home/blah
$tmpfile=$SECUREDIR/t.$$
if [ -e $tmpfile ]; then
        echo -e "ERROR! : temporary file exists, erasing!\r\n"; rm -rf
$tmpfile
fi

- If necessary, ensure that the file is not a symlink:
if( -l $tmpfile ); then ...

- John Daniele