oss-sec mailing list archives
Re: Security risk of server side text editing in general and vim.tiny specifically
From: Fiedler Roman <Roman.Fiedler () ait ac at>
Date: Fri, 3 Nov 2017 12:25:12 +0000
From: Jakub Wilk [mailto:jwilk () jwilk net] * Fiedler Roman <Roman.Fiedler () ait ac at>, 2017-11-03, 11:07:POC for vim.tiny on Ubuntu Xenial to overwrite arbitrary files as user root when editing file in directory owned by other user is available on request, disclosure after one week or if list discussion indicates other timing.By default[1], when vim wants to overwrite the file "foo", it does: rename("foo", "foo~") = 0 open("foo", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0600) = 3 There's a race window between the two syscalls when the attacker could re-create "foo", and then vim would happily write to it. Is this the attack you meant?
This is one of the attack points, but there are multiple sequences of problematic syscalls, especially when running vim.tiny as root, also getxattr("x.txt", "system.posix_acl_access", ... -> get attrs of arbitrary file via symlink setxattr("x.txt", "system.posix_acl_access", ... -> set those attrs on arbitrary file chmod("x.txt", 0100644) = 0 -> set mode of previous x.txt on arbitrary file ... As previously stated, this indicates, that the "root-edits-file-of-non-root-user" use case was not considered. But is that a problem? Put it another way: when a doctor cuts himself with his scalpel, is it the doctor's or the scalpel's fault? LG Roman
Attachment:
smime.p7s
Description:
Current thread:
- Re: Security risk of server side text editing in general and vim.tiny specifically, (continued)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Ian Zimmerman (Nov 03)
- nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Hanno Böck (Nov 03)
- Re: nvi crash recovery Jakub Wilk (Nov 03)
- Re: nvi crash recovery Jakub Wilk (Nov 04)
- Re: nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Daniel Micay (Nov 03)
- nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Hanno Böck (Nov 03)
- Re: Re: Security risk of server side text editing in general and vim.tiny specifically Christos Zoulas (Nov 03)
- AW: Re: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 06)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 13)
- AW: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 13)
- Re: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Fiedler Roman (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)
- Re: Security risk of server side text editing in general and vim.tiny specifically Leonid Isaev (Nov 05)
- Re: Security risk of server side text editing in general and vim.tiny specifically Solar Designer (Nov 03)