Bugtraq mailing list archives
Re: Tripwire temporary files
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert () uumail gov bc ca>
Date: Thu, 12 Jul 2001 18:56:42 -0700
In message <3B4A936D.FF2DA075 () ezlink com>, Charles Stevenson writes:
Jarno Huuskonen wrote:After that I looked at the tripwire sources and confirmed the problem. (See e.g. core/archive.cpp, core/unix/unixfsservices.cpp and tw/textreportviewer.cpp).If you noticed a few more lines down the file get's removed. -> TSTRING& cUnixFSServices::MakeTempFilename( TSTRING& strName ) const throw(eFSServices) -> { -> ... -> // create temp filename -> pchTempFileName = mktemp( szTemplate ); -> ... -> strName = pchTempFileName; -> ... -> -> // Linux creates the file!! Doh! -> // So I'll always attempt to delete it -bam -> FileDelete( strName ); -> -> return( strName ); -> } So it's going to be a really tight race since the file would have to be created just after FileDelete is called. -> void cLockedTemporaryFileArchive::OpenReadWrite( const TCHAR* filename, uint32 openFlags ) -> { -> ... -> // if filename is NULL, create a temp file for the caller -> if( filename == NULL ) -> { -> try -> { -> iFSServices::GetInstance()->GetTempDirName( strTempFile ); -> strTempFile += _T("twtempXXXXXX"); -> iFSServices::GetInstance()->MakeTempFilename( strTempFile ); -> ... -> // open file -> mCurrentFilename = filename ? filename : strTempFile.c_str(); -> mCurrentFile.Open( mCurrentFilename, flags ); -> ... -> } I've been trying to think of a way to exploit this. The only way I could foresee was if you could run an exploit as a cron timed with a tripwire cron run as root and the exploit would create a lot of symlinks right before tripwire runs which could allow creation of files as root but if the file get's removed then really what you'd need is a way to watch all the symlinks you've created and the instant one is removed create it again (run on sentence;). Any ideas? The patch should be to use mkstemp() if the OS is Linux.
Here are patches to Tripwire-1.3.1 and -2.3.1-2. The 1.3.1 patches have been in use in the FreeBSD port for over a year, while the Tripwire-2.3.1 patches have been in the upcoming FreeBSD Tripwire-2.3.1 port which will be released once I've completed testing Tripwire 2.3.1 in parallel with 1.3.1. I don't know whether the commercial version (2.4) has this bug (haven't installed it yet, though as the free version is probably based on the commercial version, I suspect (guess) it might be. Tripwire 1.3.1 patches follow: --- src/config.parse.c.orig Tue Jun 13 23:24:14 2000 +++ src/config.parse.c Tue Jun 13 23:30:35 2000 @@ -55,7 +55,6 @@ #endif /* prototypes */ -char *mktemp(); static void configfile_descend(); #ifndef L_tmpnam @@ -105,8 +104,8 @@ }; (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); - if ((char *) mktemp(tmpfilename) == NULL) { - perror("configfile_read: mktemp()"); + if (mkstemp(tmpfilename) == -1) { + perror("configfile_read: mkstemp()"); exit(1); } --- src/dbase.build.c.orig Tue May 4 17:31:00 1999 +++ src/dbase.build.c Tue Jun 13 23:40:06 2000 @@ -60,7 +60,6 @@ int files_scanned_num = 0; /* prototypes */ -char *mktemp(); /* new database checking routines */ static void database_record_write(); @@ -135,8 +134,8 @@ die_with_err("malloc() failed in database_build", (char *) NULL); (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); - if ((char *) mktemp(tmpfilename) == NULL) - die_with_err("database_build: mktemp()", (char *) NULL); + if (mkstemp(tmpfilename) == -1) + die_with_err("database_build: mkstemp()", (char *) NULL); (void) strcpy(tempdatabase_file, tmpfilename); (void) strcpy(database, tempdatabase_file); @@ -814,8 +813,8 @@ /* build temporary file name */ (void) strcpy(backup_name, TEMPFILE_TEMPLATE); - if ((char *) mktemp(backup_name) == NULL) { - die_with_err("copy_database_to_backup: mktemp() failed!", NULL); + if (mkstemp(backup_name) == -1) { + die_with_err("copy_database_to_backup: mkstemp() failed!", NULL); } strcpy (database_backupfile, backup_name); --- src/siggen.c.orig Tue Jun 13 23:42:53 2000 +++ src/siggen.c Tue Jun 13 23:43:27 2000 @@ -52,7 +52,6 @@ extern int optind; int debuglevel = 0; -char *mktemp(); int (*pf_signatures [NUM_SIGS]) () = { SIG0FUNC, @@ -172,8 +171,8 @@ }; (void) strcpy(tmpfilename, "/tmp/twzXXXXXX"); - if ((char *) mktemp(tmpfilename) == NULL) { - perror("siggen: mktemp()"); + if (mkstemp(tmpfilename) == -1) { + perror("siggen: mkstemp()"); exit(1); } --- src/utils.c.orig Tue Jun 13 23:43:01 2000 +++ src/utils.c Tue Jun 13 23:43:50 2000 @@ -856,8 +856,8 @@ int fd; (void) strcpy(tmp, TEMPFILE_TEMPLATE); - if ((char *) mktemp(tmp) == NULL) { - perror("tempfilename_generate: mktemp()"); + if (mkstemp(tmp) == -1) { + perror("tempfilename_generate: mkstemp()"); exit(1); } And for Tripwire-2.3.1 the patch is: --- src/core/unix/unixfsservices.cpp.orig Sat Feb 24 11:02:12 2001 +++ src/core/unix/unixfsservices.cpp Tue Jul 10 21:40:37 2001 @@ -243,6 +243,7 @@ { char* pchTempFileName; char szTemplate[MAXPATHLEN]; + int fd; #ifdef _UNICODE // convert template from wide character to multi-byte string @@ -253,13 +254,14 @@ strcpy( szTemplate, strName.c_str() ); #endif - // create temp filename - pchTempFileName = mktemp( szTemplate ); + // create temp filename and check to see if mkstemp failed + if ((fd = mkstemp( szTemplate )) == -1) { + throw eFSServicesGeneric( strName ); + } else { + close(fd); + } + pchTempFileName = szTemplate; - //check to see if mktemp failed - if ( pchTempFileName == NULL || strlen(pchTempFileName) == 0) { - throw eFSServicesGeneric( strName ); - } // change name so that it has the XXXXXX part filled in #ifdef _UNICODE We haven't had a chance to install the commercial version yet, however if the commercial version is vulnerable (I've notified TripwireSecurity of the possibility and I'm betting dollars to donuts that is might be) a possible workaround would be to create a shared library with a function named mktemp which would call mkstemp() as in the patches above, then execute tripwire using LD_PRELOAD to load the mktemp wrapper. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert () osg gov bc ca Open Systems Group, ITSD, ISTA Province of BC
Current thread:
- Tripwire temporary files Jarno Huuskonen (Jul 09)
- Re: Tripwire temporary files Charles Stevenson (Jul 10)
- Re: Tripwire temporary files Cy Schubert - ITSD Open Systems Group (Jul 15)
- Re: Tripwire temporary files Jarno Huuskonen (Jul 15)
- Re: Tripwire temporary files Cy Schubert - ITSD Open Systems Group (Jul 16)
- Re: Tripwire temporary files Cy Schubert - ITSD Open Systems Group (Jul 15)
- Re: Tripwire temporary files Charles Stevenson (Jul 10)
- Re: Tripwire temporary files Paul Starzetz (Jul 10)
- Re: Tripwire temporary files Jarno Huuskonen (Jul 10)