![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Wed, 17 Jan 2001 03:58:56 +0100
From: Roman Drahtmueller <draht@SUSE.DE>
Subject: Re: Serious security flaw in SuSE rctab
To: BUGTRAQ@SECURITYFOCUS.COM
On Sat, 13 Jan 2001, Paul Starzetz wrote:
> From: Paul Starzetz <paul@STARZETZ.DE>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Date: Sat, 13 Jan 2001 19:15:51 +0100
> Subject: Serious security flaw in SuSE rctab
>
> Hi @ll,
>
> it seems that the problem described below has not been discussed on
> Bugtraq.
Does that mean you wouldn't have reported it otherwise? Why? No, it's
public for the first time. Before writing to bugtraq, you could have
communicated it to us. It was sent to feedback@suse.de, our address for
bugs, RFE and such, at around the time when your mail was submitted to
bugtraq. <security@suse.de>, our contact address for security-related
issues, was not addressed.
Your mail reveals that your primary intention was _not_ to improve
security: You failed to report this problem, and there is no hint on how
to fix it. Please let me do that, then (search for "Solution"!).
-
> Problem description
> -------------------
>
> Due to a various race conditions in the init level editing script
> /sbin/rctab it is possible for any local user to overwrite any system's
I confirm that a problem exists with the rctab script from the aaa_base
package in SuSE-6.0, 6.1, 6.2, 6.3, 6.4, 7.0, all platforms, as well as
the SuSE-5.x distributions.
However, the description of the problem is not acurrate. The race
condition is a result of a failure to create a directory to store the
temporary file in. The mkdir command used does not take into account that
the directory, if it exists already, might not belong to root or may be
writeable for attackers. `chown root:root´ is clearly a wrong step since
this would introduce a race in a 1777- directory again.
The relevant piece of the /sbin/rctab shell script reads as follows:
___[snip]
tmpdir=/tmp/rctmpdir.$$
tmp="${tmpdir}/rctmp"
trap "rm -rf $tmpdir" 0 1 3 4 7 9 13 15
trap "exit 1" 2
mkdir -p ${tmpdir}
if test $? -gt 0 -o ! -d ${tmpdir} ; then
echo "Error $0: cannot create $tmpdir" 1>&2
exit 1
fi
chmod 0700 $tmpdir
#
# make sort secure
#
export TMPDIR=$tmpdir
___[snip]
As you can see, `mkdir -p ...´ is used to create a directory within /tmp.
`mkdir -p´ does not return an error if the directory exists already. Thus,
the error condition that should be detected is not reached, and the
program does not exit.
Solution for the problem: remove the only occurrence of the string "-p "
in the file /sbin/rctab. Change the line
mkdir -p ${tmpdir}
to read
mkdir ${tmpdir}
Of course, we will provide update packages for the supported distributions
6.x and 7.0 (that will fix some more (rather minor) problems.). Future
versions of the SuSE distributions do not contain the rctab script any
more.
Only small comments of academic nature following now.
> file with arbitrary data. This may result in denial of service attack,
> local or even remote root compromise, if root runs the /sbin/rctab
> script.
To achieve a remote root compromise, local root privilege is required.
Therefore, it is not a remote root compromise.
> Details
> -------
>
> The /sbin/rctab script doesn't check for links writing the temporary
> rctmp file to /tmp/rctmpdir.$PID dir. Also the directory created isn't
> chown'ed root. Because the PID of the rctab script can be guessed (or
`chown root.root´ doesn't make sense from the security standpoint. If the
directory is created, it belongs to root. If it doesn't, then you would
not want it and abort the script. chown of a (pontially) user-owned file
is definitely not the way to go.
_From within a c program, fchown(2) is ok if you made sure that the file
(that you hold open) is the one you wanted. It is even necessary to safely
unlink(2) it later to avoid a race in a 1777-directory (because there is
no "funlink(2)").
> looked up, however), any local user can replace the temporary rctmp file
> with arbitrary content. This can be exploited in one of the following
> manners:
>
[deleted down to EOF]
Roman Drahtmüller,
SuSE security.
--
- -
| Roman Drahtmüller <draht@suse.de> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -