oss-sec mailing list archives
Re: CVE request: opencryptoki insecure lock files handling
From: Raphael Geissert <geissert () debian org>
Date: Wed, 12 Sep 2012 12:42:17 -0500
On Sunday 09 September 2012 07:29:23 Tomas Hoger wrote:
On Fri, 7 Sep 2012 11:26:34 -0500 Raphael Geissert wrote:There were following problems that I'm aware of: - /tmp/.pkapi_xpk - This was normally created by pcksslotd (running as root). Symlink attack on this did not allow corrupting / truncating files, but allowed creating new empty files at arbitrary locations. - /tmp/.pkcs11spinloc - I believe this is created by opencryptoki clients. In addition to the above, there's a chmod to make this file world writable. This may get created by non-root user, but chmod may still run later with root privileges later. Those files do not seem to get removed as part of the normal operation, so replacing them with symlinks if they already exist is limited by /tmp stickiness. Attacker does not need to be pkcs11 group member.Correct, and to make it clear: /tmp/.pkcs11spinloc *is* chmod'ed by pcksslotd to make it world-writable.When do pkcsslotd does that, and which version? It does not happen on its start or stop, or when client as pkcsconf queries for some data.
I apparently confused it with another set of CreateXProcLock and XProcUnLock's. pkcsslotd indeed doesn't seem to chmod spinloc. Regarding /tmp/.pkapi_xpk, it is created by pkcsslotd with S_IRWXU|S_IRWXG| S_IRWXO (but not chmoded). Upstream's init script seems to set a umask of 077, but at least Debian's doesn't :-/
If pkcs11 group member can make pkcsslotd chmod lock file, pkcs11 group membership need to be assumed root equivalent without any additional condition.
Agreed. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE request: opencryptoki insecure lock files handling Raphael Geissert (Sep 06)
- Re: CVE request: opencryptoki insecure lock files handling Tomas Hoger (Sep 07)
- Re: CVE request: opencryptoki insecure lock files handling Raphael Geissert (Sep 07)
- Re: CVE request: opencryptoki insecure lock files handling Tomas Hoger (Sep 09)
- Re: CVE request: opencryptoki insecure lock files handling Raphael Geissert (Sep 12)
- Re: CVE request: opencryptoki insecure lock files handling Tomas Hoger (Sep 20)
- Re: CVE request: opencryptoki insecure lock files handling Raphael Geissert (Sep 24)
- Re: CVE request: opencryptoki insecure lock files handling Kurt Seifried (Sep 26)
- Re: CVE request: opencryptoki insecure lock files handling Raphael Geissert (Sep 07)
- Re: CVE request: opencryptoki insecure lock files handling Tomas Hoger (Sep 07)