Debian Bug report logs - #264234
initscripts: bootclean.sh: /tmp/.clean vulnerable to symlink attack

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Zygo Blaxell <zblaxell@ashura.furryterror.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: initscripts: bootclean.sh file creation vulnerability

Date: Sat, 07 Aug 2004 14:38:06 -0400

Package: initscripts
Version: 2.86-1
Severity: normal

While rejecting modifications to bootclean.sh today, I noticed a line
that read:

	:>> /tmp/.clean

This suggests at least a file creation security vulnerability exploitable
as follows:

	zblaxell@dio:~$ ls -l /tmp/.clean 
	ls: /tmp/.clean: No such file or directory
	zblaxell@dio:~$ ln -s /FOO /tmp/.clean
	zblaxell@dio:~$ reboot -ndf

...one reboot later...

	zblaxell@dio:~$ ls -l /FOO
	-rw-r--r--  1 root root 0 Aug  7 13:56 /FOO

The ability to create root-owned empty files with arbitrary names can
probably be used to at least create inconvenience, if not wreak more
interesting security-related havoc.

-- System Information:
Debian Release: 3.0
  APT prefers testing
  APT policy: (102, 'testing'), (101, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-zb-k7-smp
Locale: LANG=C, LC_CTYPE=C

Versions of packages initscripts depends on:
ii  coreutils                   5.2.1-2      The GNU core utilities
ii  dpkg                        1.10.23      Package maintenance system for Deb
ii  e2fsprogs                   1.35-6       The EXT2 file system utilities and
ii  libc6                       2.3.2.ds1-13 GNU C Library: Shared libraries an
ii  mount                       2.11n-7      Tools for mounting and manipulatin
ii  util-linux                  2.11n-7      Miscellaneous system utilities.

-- no debconf information

Message #10 received at 264234@bugs.debian.org (full text, mbox, reply):

From: Miquel van Smoorenburg <miquels@cistron.net>

To: Zygo Blaxell <zblaxell@ashura.furryterror.org>

Cc: 264234@bugs.debian.org, miquels@cistron.nl

Subject: Re: Bug#264234: initscripts: bootclean.sh file creation vulnerability

Date: Sun, 8 Aug 2004 13:10:39 +0200

On Sat, 07 Aug 2004 20:38:06, Zygo Blaxell wrote:
> Package: initscripts
> Version: 2.86-1
> Severity: normal
> 
> While rejecting modifications to bootclean.sh today, I noticed a line
> that read:
> 
> 	:>> /tmp/.clean
> 
> This suggests at least a file creation security vulnerability exploitable
> as follows:

Well, it would indeed be a good idea to remove /tmp/.clean early in
the boot process to prevent this. However on a standard system this
cannot happen.

At shutdown time, /etc/init.d/umountnfs.sh (which is really badly
named, I admit) removes /tmp/.clean, so that should be sufficient.

Unless an attacker creates a symlink in /tmp/.clean and finds
a way to hard-reboot the kernel (using say a kernel vulnerability
like 2.4.25 had).

Severity can stay at "normal" for now, I guess.

Mike.

Message #15 received at 264234@bugs.debian.org (full text, mbox, reply):

From: Zygo Blaxell <zblaxell@ashura.furryterror.org>

To: Miquel van Smoorenburg <miquels@cistron.net>

Cc: 264234@bugs.debian.org, miquels@cistron.nl

Subject: Re: Bug#264234: initscripts: bootclean.sh file creation vulnerability

Date: Thu, 12 Aug 2004 10:56:36 -0400

[Message part 1 (text/plain, inline)]

On Sun, Aug 08, 2004 at 01:10:39PM +0200, Miquel van Smoorenburg wrote:
> Well, it would indeed be a good idea to remove /tmp/.clean early in
> the boot process to prevent this. 

Actually in this particular case it will be sufficient to remove .clean
immediately before touching it:

	rm -rf /tmp/.clean
	:>> /tmp/.clean

The assumption that makes this safe is that evil user processes (e.g.
cron jobs, user logins, email delivers, etc) have not had a chance to
start running yet, so they can't reinsert the symlink between those
two lines.

> However on a standard system this
> cannot happen.
> 
> At shutdown time, /etc/init.d/umountnfs.sh (which is really badly
> named, I admit) removes /tmp/.clean, so that should be sufficient.

Assuming the machine goes down cleanly, of course.  Most of my system
reboots these days are due to power failures or poor resource planning
("Hmmm, I guess I can't run 50 instances of spamassassin on that machine
after all, it runs out of RAM and the watchdog kills it").

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 264234@bugs.debian.org (full text, mbox, reply):

From: Thomas Hood <jdthood@aglu.demon.nl>

To: 264234@bugs.debian.org

Subject: Fix for sarge?

Date: Tue, 17 Aug 2004 21:34:52 +0200

This poses a security risk and there is a straightforward fix.
Fix for sarge?
--
Thomas

Message #29 received at 264234@bugs.debian.org (full text, mbox, reply):

From: Miquel van Smoorenburg <miquels@cistron.nl>

To: Thomas Hood <jdthood@aglu.demon.nl>

Cc: 264234@bugs.debian.org, miquels@cistron.nl

Subject: Re: Bug#264234: Fix for sarge?

Date: Tue, 17 Aug 2004 22:21:44 +0200

On Tue, 17 Aug 2004 21:34:52, Thomas Hood wrote:
> This poses a security risk and there is a straightforward fix.
> Fix for sarge?

Probably should upload to proposed-updates, yes. Increase
the severity of the bug first ?

Mike.

Message #34 received at 264234@bugs.debian.org (full text, mbox, reply):

From: Thomas Hood <jdthood@aglu.demon.nl>

To: 264234@bugs.debian.org, 264234-submitter@bugs.debian.org

Subject: Re: Bug#264234: Fix for sarge?

Date: Wed, 18 Aug 2004 10:28:42 +0200

severity 264234 serious
thanks

On Tue, 2004-08-17 at 22:21, Miquel van Smoorenburg wrote:
> Probably should upload to proposed-updates, yes. Increase
> the severity of the bug first ?

Done with this message
--
Thomas

Message #44 received at 264234@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <martin@piware.de>

To: 264234@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Proposed patch

Date: Fri, 27 Aug 2004 11:46:51 +0200

[Message part 1 (text/plain, inline)]

tags 264234 patch
thanks

Hi Miquel!

Deleting */.clean before creating it is a good idea to overcome
symlink attacks. To be absolutely sure that the attacker cannot insert
a command in between, the creation command should be executed in a
noclobber environment.

I prepared a patch directly against /etc/init.d/bootclean.sh, which
closes this security hole and works very well. You can find it on

http://fixthathole.no-name-yet.com/patches/sysvinit.264234.diff

What do you think?

Thanks and have a nice day!

Martin

-- 
Martin Pitt                 Debian GNU/Linux Developer
martin@piware.de                      mpitt@debian.org
http://www.piware.de             http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #53 received at 264234-close@bugs.debian.org (full text, mbox, reply):

From: Miquel van Smoorenburg <miquels@cistron.nl>

To: 264234-close@bugs.debian.org

Subject: Bug#264234: fixed in sysvinit 2.86-2

Date: Wed, 08 Sep 2004 16:17:13 -0400

Source: sysvinit
Source-Version: 2.86-2

We believe that the bug you reported is fixed in the latest version of
sysvinit, which is due to be installed in the Debian FTP archive:

initscripts_2.86-2_i386.deb
  to pool/main/s/sysvinit/initscripts_2.86-2_i386.deb
sysv-rc_2.86-2_all.deb
  to pool/main/s/sysvinit/sysv-rc_2.86-2_all.deb
sysvinit_2.86-2.diff.gz
  to pool/main/s/sysvinit/sysvinit_2.86-2.diff.gz
sysvinit_2.86-2.dsc
  to pool/main/s/sysvinit/sysvinit_2.86-2.dsc
sysvinit_2.86-2_i386.deb
  to pool/main/s/sysvinit/sysvinit_2.86-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 264234@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miquel van Smoorenburg <miquels@cistron.nl> (supplier of updated sysvinit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.7
Date: Mon,  6 Sep 2004 19:02:19 +0200
Source: sysvinit
Binary: sysv-rc sysvinit initscripts
Architecture: source i386 all
Version: 2.86-2
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Miquel van Smoorenburg <miquels@cistron.nl>
Changed-By: Miquel van Smoorenburg <miquels@cistron.nl>
Description: 
 initscripts - Standard scripts needed for booting and shutting down
 sysv-rc    - Standard boot mechanism using symlinks in /etc/rc?.d
 sysvinit   - System-V like init
Closes: 264234 264894
Changes: 
 sysvinit (2.86-2) testing-proposed-updates; urgency=high
 .
   * Remove .clean file before touching it; prevents symlink attack
     which in rare circumstances could result in random file creation
     (closes: #264234)
   * Do the above in a noclobber environment (Martin Pitt).
   * Don't mount network filesystems multiple times (closes: #264894)
Files: 
 8ab97fc5148e8b895af4007fde9fd71f 643 base required sysvinit_2.86-2.dsc
 90207f8bbff5a74bb58568d4c9e46d02 59187 base required sysvinit_2.86-2.diff.gz
 5e5c7df26bd1dd8a0421c5a2af6d2468 96898 base required sysvinit_2.86-2_i386.deb
 060405f3f92a8ea5d97afd25716a14c2 30130 base required initscripts_2.86-2_i386.deb
 7da3a420806342dadc133eba150b1c02 34894 base required sysv-rc_2.86-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQB1AwUBQT8CB1iLscT2F1RZAQH1HwL/f2uM8LnvNvM2V+Lh/4Ihdo6FlBmpbO4e
264NV7m5HHIV5k4byBNvcabZ+dq8R3eqEX91FJMjfWpat4WG1//gdO4cbw7M5ftc
5skn4cZ6nILV+MBzLV3aVWFsmaXY9M38
=W0/V
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.