Re: Mathematica8.0.4 on Linux /tmp/MathLink vulnerability

[paul.szabo () sydney edu au]

Dear Vikram,

> > Mathematica on Linux uses the /tmp/MathLink directory in insecure ways.
> > Mathematica creates or re-uses an existing /tmp/MathLink directory, and
> > overwrites files within and follows symlinks. ...
>
> One quick fix here could be to change user permissions with chmod or
> add a new group where Mathematica in /tmp doesn't have permissions to
> anything under /home so then even if a user is compromised, the
> symlink won't work because the user doesn't have permissions. A root
> user here is an entirely different problem, here an attacker can
> symlink to any directory. So a new group to setup permissions for
> Mathemtica /tmp access would be a better idea. Will look into a patch
> soon.

My ideas for a fix, so far:

It is tempting to add O_NOFOLLOW to the relevant open() calls, maybe by
changing the string "open" to something else:
  perl -i.bak -pe 's/open/PSzO/g' SystemFiles/Libraries/Linux*/libML*.so
and LD_PRELOAD a library built from something like
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <fcntl.h>
  int PSzO(const char *pathname, int flags, mode_t mode)
  {
    return open(pathname, flags|O_NOFOLLOW, mode);
  }
but that would not work: I believe those files in /tmp/MathLink allow
other processes to send commands to the running Mathematica session,
possibly including shell escapes.

The fix might be to make the directory in /tmp private to the user,
naming it /tmp/MathLink-$USER and checking it has right owner and
"chmod 0700" permissions. That fix will need to be implemented by
Wolfram.

Cheers, Paul

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia