Re: Tripwire temporary files

[Ron DuFresne <dufresne () winternet com>]

On Mon, 9 Jul 2001, Charles Stevenson wrote:

> Jarno Huuskonen wrote:
>
> >  After that I looked at the tripwire sources and confirmed the problem.
> >  (See e.g. core/archive.cpp, core/unix/unixfsservices.cpp and
> >  tw/textreportviewer.cpp).
>
> If you noticed a few more lines down the file get's removed.



Unless the tripwire process is halted for some reason, like a system
crash, or reboot during the run, etc.  In those cases the temp file<s> are
left untouched.

Thanks,

Ron DuFresne






> -> TSTRING& cUnixFSServices::MakeTempFilename( TSTRING& strName ) const
> throw(eFSServices)
> -> {
> -> ...
> ->     // create temp filename
> ->     pchTempFileName = mktemp( szTemplate );
> -> ...
> ->     strName = pchTempFileName;
> -> ...
> -> 
> ->     // Linux creates the file!!  Doh!
> ->     // So I'll always attempt to delete it -bam
> ->     FileDelete( strName );
> -> 
> ->    return( strName );
> -> }
>
> So it's going to be a really tight race since the file would have to be
> created just after FileDelete is called.
>
> -> void cLockedTemporaryFileArchive::OpenReadWrite( const TCHAR*
> filename, uint32 openFlags )
> -> {
> -> ...
> ->     // if filename is NULL, create a temp file for the caller
> ->     if( filename == NULL )
> ->       {
> ->         try
> ->           {
> ->             iFSServices::GetInstance()->GetTempDirName( strTempFile
> );
> ->             strTempFile += _T("twtempXXXXXX");  
> ->             iFSServices::GetInstance()->MakeTempFilename( strTempFile
> );
> -> ...
> ->     // open file
> ->     mCurrentFilename = filename ? filename : strTempFile.c_str();
> ->     mCurrentFile.Open( mCurrentFilename, flags );
> -> ...
> -> }
>
> I've been trying to think of a way to exploit this. The only way I could
> foresee was if you could run an exploit as a cron timed with a tripwire
> cron run as root and the exploit would create a lot of symlinks right
> before tripwire runs which could allow creation of files as root but if
> the file get's removed then really what you'd need is a way to watch all
> the symlinks you've created and the instant one is removed create it
> again (run on sentence;).  Any ideas?
>
> The patch should be to use mkstemp() if the OS is Linux.
>
> Best Regards,
> Charles Stevenson

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.