Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Tripwire temporary files

From: dynamo <dynamo () harvard net>
Date: Tue, 10 Jul 2001 10:02:44 -0400 (EDT)
On the older versions of tripwire, and likely before this patch, the
easiest exploit was to symlink the temporary tripwire database back to the
original tripwire database it was using to test against.

If you raced it properly, it would cause tripwire not to see any changes
at all.

I was able to do this in a shell script for older releases -- but i didnt
test against this most recent version.




On Mon, 9 Jul 2001, Charles Stevenson wrote:


Jarno Huuskonen wrote:


 After that I looked at the tripwire sources and confirmed the problem.
 (See e.g. core/archive.cpp, core/unix/unixfsservices.cpp and
 tw/textreportviewer.cpp).


If you noticed a few more lines down the file get's removed.

-> TSTRING& cUnixFSServices::MakeTempFilename( TSTRING& strName ) const
throw(eFSServices)
-> {
-> ...
->     // create temp filename
->     pchTempFileName = mktemp( szTemplate );
-> ...
->     strName = pchTempFileName;
-> ...
->
->     // Linux creates the file!!  Doh!
->     // So I'll always attempt to delete it -bam
->     FileDelete( strName );
->
->    return( strName );
-> }

So it's going to be a really tight race since the file would have to be
created just after FileDelete is called.

-> void cLockedTemporaryFileArchive::OpenReadWrite( const TCHAR*
filename, uint32 openFlags )
-> {
-> ...
->     // if filename is NULL, create a temp file for the caller
->     if( filename == NULL )
->       {
->         try
->           {
->             iFSServices::GetInstance()->GetTempDirName( strTempFile
);
->             strTempFile += _T("twtempXXXXXX");
->             iFSServices::GetInstance()->MakeTempFilename( strTempFile
);
-> ...
->     // open file
->     mCurrentFilename = filename ? filename : strTempFile.c_str();
->     mCurrentFile.Open( mCurrentFilename, flags );
-> ...
-> }

I've been trying to think of a way to exploit this. The only way I could
foresee was if you could run an exploit as a cron timed with a tripwire
cron run as root and the exploit would create a lot of symlinks right
before tripwire runs which could allow creation of files as root but if
the file get's removed then really what you'd need is a way to watch all
the symlinks you've created and the instant one is removed create it
again (run on sentence;).  Any ideas?

The patch should be to use mkstemp() if the OS is Linux.

Best Regards,
Charles Stevenson
Previous By Date Next
Previous By Thread Next

Current thread: