Re: CVE request: opencryptoki insecure lock files handling

[Raphael Geissert <geissert () debian org>]

On Sunday 09 September 2012 07:29:23 Tomas Hoger wrote:
> On Fri, 7 Sep 2012 11:26:34 -0500 Raphael Geissert wrote:
> > > There were following problems that I'm aware of:
> > >
> > > - /tmp/.pkapi_xpk - This was normally created by pcksslotd (running
> > > as root).  Symlink attack on this did not allow corrupting /
> > > truncating files, but allowed creating new empty files at arbitrary
> > > locations.
> > >
> > > - /tmp/.pkcs11spinloc - I believe this is created by opencryptoki
> > >   clients.  In addition to the above, there's a chmod to make this
> > > file world writable.  This may get created by non-root user, but
> > > chmod may still run later with root privileges later.
> > >
> > > Those files do not seem to get removed as part of the normal
> > > operation, so replacing them with symlinks if they already exist is
> > > limited by /tmp stickiness.  Attacker does not need to be pkcs11
> > > group member.
> >
> > Correct, and to make it clear: /tmp/.pkcs11spinloc *is* chmod'ed by
> > pcksslotd to make it world-writable.
>
> When do pkcsslotd does that, and which version?  It does not happen on
> its start or stop, or when client as pkcsconf queries for some data.

I apparently confused it with another set of CreateXProcLock and 
XProcUnLock's. pkcsslotd indeed doesn't seem to chmod spinloc.

Regarding /tmp/.pkapi_xpk, it is created by pkcsslotd with S_IRWXU|S_IRWXG|
S_IRWXO (but not chmoded). Upstream's init script seems to set a umask of 
077, but at least Debian's doesn't :-/

> If pkcs11 group member can make pkcsslotd chmod lock file, pkcs11 group
> membership need to be assumed root equivalent without any additional
> condition.

Agreed.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net