|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Symlinks and Cryogenic Sleep
Subject: Re: Symlinks and Cryogenic Sleep
From: Marc Heuse (mheuse
KPMG.COM)
Date: Wed Jan 05 2000 - 03:57:24 CST
- Next message: Sonny Parlin: "Re: Flaw in 3c59x.c or in Kernel?"
- Previous message: Marc Heuse: "Re: Symlinks and Cryogenic Sleep"
- In reply to: Goetz Babin-Ebell: "Re: Symlinks and Cryogenic Sleep"
- Next in thread: Antonomasia: "Re: Symlinks and Cryogenic Sleep"
- Reply: Marc Heuse: "Re: Symlinks and Cryogenic Sleep"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
>>when you're dealing with files in /tmp that are supposed to be re-opened
>>(rather than opened once and then discarded) there's an established
>>way to do it which goes like this:
[...]
>I did something that way:
oh, not a good idea:
>FILE *DoOpen(const char *cpFile, long bAppend)
>{
> FILE *spNew;
> FILE *spTest;
> struct stat sStat;
>
> spTest = fopen(cpFile,"a");
> if (!spTest)
> {
> Log("ERR FILE OPEN",cpFile);
> return NULL;
> }
man fopen says about "a" (append mode):
the file is created, if it does not exist.
make cpFile a symlink to anything, and your function will create it (e.g. /etc/nologin).
> if (lstat(cpFile,&sStat))
> {
> Log("ERR STAT",cpFile);
> return NULL;
> }
> if ((sStat.st_mode & S_IFMT) == S_IFLNK)
> {
> fclose(spTest);
> Log("ERR ISLINK",cpFile);
> return NULL;
> }
now, if cpFile is a hardlink to e.g. /etc/passwd, this won´t help.
and even better: you´ve got the same race condition which Olaf describes, but the other way around. If the attacker creates the symlink before your fopen() call and before you do the lstat, he removes/renames it and creates a regular file, boom ...
> if (bAppend)
> spNew = spTest;
[... etc. the rest of the code is not relevant to security]
>Comments ?
>Improvements ?
well, it´s insecure... :-(
I also posted a reply some hours ago to bugtraq with my proposed algorythm to eliminate the race condition. I sent it from marcsuse.de ... well, might take some time until it´s approved (but probably faster than this one ;-)
Greets,
Marc
Please note that all statements here are my own opinions and do not reflect any point of view of the company where I work at...
- Next message: Sonny Parlin: "Re: Flaw in 3c59x.c or in Kernel?"
- Previous message: Marc Heuse: "Re: Symlinks and Cryogenic Sleep"
- In reply to: Goetz Babin-Ebell: "Re: Symlinks and Cryogenic Sleep"
- Next in thread: Antonomasia: "Re: Symlinks and Cryogenic Sleep"
- Reply: Marc Heuse: "Re: Symlinks and Cryogenic Sleep"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Wed Jan 05 2000 - 15:16:34 CST