FileCache: tmp file permission vulnerability. Larry W. Cashdollar Vapid Labs http://vapid.dhs.org 2/16/2010 Perl Cache-Cache-1.06 is a memory and file caching module for perl. It stores its default file cache in /tmp with world read/write permissions. A local attacker can use this cache to glean information from applications using module. Regardless of weather the transaction is taking place over an encrypted SSL session. root@dev-unix-sec01:/tmp# ls -l --color=no total 200 drwxrwxrwx 3 root root 4096 Feb 10 12:53 FileCache root@dev-unix-sec01:/tmp/FileCache/Default# ls -l --color=no total 64 drwxrwxrwx 17 root root 4096 Feb 11 16:10 0 drwxrwxrwx 18 root root 4096 Feb 10 15:50 1 drwxrwxrwx 18 root root 4096 Feb 11 16:11 2 drwxrwxrwx 16 root root 4096 Feb 11 16:09 3 drwxrwxrwx 18 root root 4096 Feb 10 15:51 4 drwxrwxrwx 17 root root 4096 Feb 11 16:09 5 drwxrwxrwx 18 root root 4096 Feb 10 15:51 6 drwxrwxrwx 15 root root 4096 Feb 11 16:09 7 drwxrwxrwx 17 root root 4096 Feb 10 15:51 8 drwxrwxrwx 18 root root 4096 Feb 11 16:10 9 drwxrwxrwx 17 root root 4096 Feb 10 15:51 a drwxrwxrwx 17 root root 4096 Feb 11 16:09 b drwxrwxrwx 17 root root 4096 Feb 11 16:10 c drwxrwxrwx 18 root root 4096 Feb 11 16:11 d drwxrwxrwx 17 root root 4096 Feb 11 16:09 e drwxrwxrwx 16 root root 4096 Feb 11 16:10 f root@dev-unix-sec01:/tmp/FileCache/Default/f/f/9# ls -l --color=no total 64 -rw-r--r-- 1 root root 8035 Feb 12 08:39 ff9984b83c656ad4884e116bcf60fdca16be6483 -rw-r--r-- 1 root root 51521 Feb 12 08:37 ff9ebcc002b4067391f0baae96c3e23e8ef248a8 root@dev-unix-sec01:/tmp/FileCache/Default/f/f/9# root@dev-unix-sec01:/tmp/FileCache/Default/f/f/9# strings ff9984b83c656ad4884e116bcf60fdca16be6483 |more prod-mail-list02.example.com Cache::Object _Size Kv _Expires_At _Key KuZ _Created_At adduser-3.105ubuntu1 apache2-2.2.8-1ubuntu0.11 apache2.2-common-2.2.8-1ubuntu0.11 apache2-mpm-worker-2.2.8-1ubuntu0.11 apache2-utils-2.2.8-1ubuntu0.11 apt-0.7.9ubuntu17.2 aptitude-0.4.9-2ubuntu5 apt-utils-0.7.9ubuntu17.2 at-3.1.10ubuntu4 atsar-1.7-2 base-files-4.0.1ubuntu5.8.04.7 base-passwd-3.5.16 This can be fixed with a simple patch: larry@brazil:~/Desktop/Cache-Cache-1.06/lib/Cache$ diff -Nur FileCache.pm 1 --- FileCache.pm 2009-02-28 19:53:14.000000000 -0500 +++ 1 2010-02-12 21:13:31.000000000 -0500 @@ -35,7 +35,7 @@ # by default, the root of the cache is located in 'FileCache'. On a # UNIX system, this will appear in "/tmp/FileCache/" -my $DEFAULT_CACHE_ROOT = "FileCache"; +my $DEFAULT_CACHE_ROOT = qw(FileCache_) . $>; # by default, the directories in the cache on the filesystem should @@ -43,7 +43,7 @@ # potential security concern, the actual cache entries are written # with the user's umask, thus reducing the risk of cache poisoning -my $DEFAULT_DIRECTORY_UMASK = 000; +my $DEFAULT_DIRECTORY_UMASK = 077; sub Clear Cache::cache is no longer being developed, http://search.cpan.org/~jswartz/CHI-0.34/lib/CHI.pm should be used instead. http://vapid.dhs.org/w/doku.php?id=perl_cache:cache_filecache_permissions_issue _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/