oss-sec mailing list archives

Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack

From: Pierre Joye <pierre.php () gmail com>
Date: Tue, 1 Mar 2011 10:11:19 +0100

hi,

2011/2/28 Dan Rosenberg <dan.j.rosenberg () gmail com>:

I'm not familiar with this code or any of the context surrounding this
fix, but it appears to be an incomplete fix.  Checking for existence
of a symlink and then opening the resource leaves open a window during
which a legitimate file can be replaced with a symlink.


Not sure it is fixable, or maybe using a lock on the symbolic link
while fetching its target (to be tested to be sure that such locks
cannot be overridden from shell).

 Also, I don't see a reason why a hard link couldn't be used for exploitation
instead.


Hard link are not detectable (lstat), they are treated like normal files.

Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org

Current thread:

CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Feb 28)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Dan Rosenberg (Feb 28)
  - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Pierre Joye (Mar 01)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 01)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Vincent Danen (Mar 03)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Dan Rosenberg (Mar 01)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Pierre Joye (Mar 01)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 01)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Helgi Þormar Þorbjörnsson (Mar 08)
    - Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Vincent Danen (Mar 11)
- Re: CVE Request: PEAR Installer 1.9.1 <= - Symlink Attack Josh Bressers (Feb 28)