Re: Security risk of server side text editing in general and vim.tiny specifically

[Fiedler Roman <Roman.Fiedler () ait ac at>]

> From: Jakub Wilk [mailto:jwilk () jwilk net]
>
> * Fiedler Roman <Roman.Fiedler () ait ac at>, 2017-11-03, 11:07:
> > POC for vim.tiny on Ubuntu Xenial to overwrite arbitrary files as user
> > root when editing file in directory owned by other user is available on
> > request, disclosure after one week or if list discussion indicates
> > other timing.
>
> By default[1], when vim wants to overwrite the file "foo", it does:
>
>    rename("foo", "foo~")                   = 0
>    open("foo", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0600) = 3
>
> There's a race window between the two syscalls when the attacker could
> re-create "foo", and then vim would happily write to it.
>
> Is this the attack you meant?

This is one of the attack points, but there are multiple sequences of 
problematic syscalls, especially when running vim.tiny as root, also

getxattr("x.txt", "system.posix_acl_access", ... -> get attrs of arbitrary 
file via symlink
setxattr("x.txt", "system.posix_acl_access",  ... -> set those attrs on 
arbitrary file
chmod("x.txt", 0100644)                 = 0   -> set mode of previous x.txt on 
arbitrary file
...

As previously stated, this indicates, that the 
"root-edits-file-of-non-root-user" use case was not considered. But is that a 
problem?

Put it another way: when a doctor cuts himself with his scalpel, is it the 
doctor's or the scalpel's fault?

LG Roman

Attachment: smime.p7s
Description: