Bugtraq mailing list archives
Re: Insecure use of file in /tmp by trn
From: joey () FINLANDIA INFODROM NORTH DE (Martin Schulze)
Date: Mon, 23 Aug 1999 10:35:21 +0200
Rogier Wolff wrote:
This was not intentional by the author, he tried to use tempfile(1) to create the temporary filename. However, due to a thinko, the name was hardcoded into the script.[...]+#NNTPactive=\`tempfile -p active\` #"/tmp/active.\$\$"So now you're using tempfile? This usually yields an easilyNo, but now we're using tempfile in a proper way. In the original source code it was used like: NNTPactive=`tempfile -p active`This is what I meant. You've made it just a teeny bit harder to exploit, but the same expoit is still there. 10 years ago, this solution would've been adequate. Nowadays everbody should know that this is very hard to get right. Mover the "bad guys" already have the exploit programs ready. Creating a tempfile from a C program is possible since we have a mkstmp call. It is sufficiently tricky that I wouldn't dare
I'm sorry, but I don't understand. tempfile is a C program that creates a tempfile. DESCRIPTION tempfile creates a temporary file in a safe manner. It uses tempnam(3) to choose the name and opens it with O_RDWR | O_CREAT | O_EXCL. The filename is printed on standard output.
replicating the functionality myself. Creating a private directory in /tmp and putting the tempfiles in there might be the only solution for shell scripts.
In which case you only make things more difficult to exploit, since such a directory would be guessable as well as a tempfilename would, same for the file inside of it. Regards, Joey -- Whenever you meet yourself you're in a time loop or in front of a mirror.
Current thread:
- Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 22)
- Re: Insecure use of file in /tmp by trn Martin Schulze (Aug 23)
- <Possible follow-ups>
- Re: Insecure use of file in /tmp by trn Richard Kettlewell (Aug 23)
- Re: Insecure use of file in /tmp by trn Ben Pfaff (Aug 24)
- Re: Insecure use of file in /tmp by trn Theo de Raadt (Aug 27)
- Re: Insecure use of file in /tmp by trn Martin Schulze (Aug 29)
- WU-FTPD Security Update Thomas Biege (Aug 29)
- Re: Insecure use of file in /tmp by trn Luca Berra (Aug 30)
- Re: Insecure use of file in /tmp by trn Shuman (Aug 28)
- Re: Insecure use of file in /tmp by trn Todd C. Miller (Aug 30)
- Re: Insecure use of file in /tmp by trn Rogier Wolff (Aug 28)
- Vixie Cron version 3.0pl1 vulnerable to root exploit Martin Schulze (Aug 28)
- Re: Insecure use of file in /tmp by trn Theo de Raadt (Aug 27)