Debian Bug report logs - #496375
The possibility of attack with the help of symlinks in some Debian packages

version graph

Package: rkhunter; Maintainer for rkhunter is Debian Forensics <forensics-devel@lists.alioth.debian.org>; Source for rkhunter is src:rkhunter.

Reported by: "Dmitry E. Oboukhov" <dimka@uvw.ru>

Date: Sun, 24 Aug 2008 18:09:41 UTC

Severity: grave

Fixed in version rkhunter/1.3.2-6

Done: Julien Valroff <julien@kirya.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#496375; Package rkhunter. Full text and rfc822 format available.

Acknowledgement sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
New Bug report received and forwarded. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dmitry E. Oboukhov" <dimka@uvw.ru>
To: submit@bugs.debian.org
Cc: dimka@uvw.ru
Subject: The possibility of attack with the help of symlinks in some Debian packages
Date: Sun, 24 Aug 2008 22:05:28 +0400
Package: rkhunter
Severity: grave

Hi, maintainer!

This message about the error concerns a few packages  at  once.   I've
tested all the packages (for Lenny) on my Debian mirror.  All  scripts
of packages (marked as executable) were tested.

In some packages I've discovered scripts with errors which may be used
by a user for damaging important system files or user's files.

For example if a script uses in its work a temp file which is  created
in /tmp directory, then every user can create symlink  with  the  same
name in this directory in order to  destroy  or  rewrite  some  system
or user file.  Symlink attack may also  lead  not  only  to  the  data
desctruction but to denial of service as well.

Even if you create files or directories with help of function 'RANDOM'
or pid(), then your system is not protected. Attacker can create many
symlinks in order to destroy your data or create 'denial  of  service'
for your package scripts.

Even if you make rm(dir) for files/directories, then  your  system  is
not protected. Attacker can permanently create symlinks.

This list is created with the help of script.  This list is sorted  by
hand. Howewer in some cases mistake is possible.

Please, Be understanding to possible mistakes. :)

I set Severity into grave for this bug. The table of discovered
problems is below.

Discussion of this bug you can see in debian-devel@:
    http://lists.debian.org/debian-devel/2008/08/msg00271.html

Binary-package: r-base-core-ra (1.1.1-1)
    file: /usr/lib/Ra/lib/R/bin/javareconf
Binary-package: rccp (0.9-2)
    file: /usr/lib/rccp/delqueueask
Binary-package: mafft (6.240-1)
    file: /usr/bin/mafft-homologs
Binary-package: openoffice.org-common (1:2.4.1-6)
    file: /usr/lib/openoffice/program/senddoc
Binary-package: crossfire-maps (1.11.0-1)
    file: /usr/share/games/crossfire/maps/Info/combine.pl
Binary-package: sgml2x (1.0.0-11.1)
    file: /usr/bin/rlatex
Binary-package: liguidsoap (0.3.6-4)
    file: /var/lib/liguidsoap/liguidsoap.py
Binary-package: citadel-server (7.37-1)
    file: /usr/lib/citadel-server/migrate_aliases.sh
Binary-package: ampache (3.4.1-1)
    file: /usr/share/ampache/www/locale/base/gather-messages.sh
Binary-package: xen-utils-3.2-1 (3.2.1-2)
    file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug
Binary-package: dtc-common (0.29.6-1)
    file: /usr/share/dtc/admin/accesslog.php
    file: /usr/share/dtc/admin/sa-wrapper
Binary-package: honeyd-common (1.5c-3)
    file: /usr/share/honeyd/scripts/test.sh
Binary-package: lustre-tests (1.6.5-1)
    file: /usr/lib/lustre/tests/runiozone
Binary-package: linuxtrade (3.65-8+b4)
    file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol
    file: /usr/share/linuxtrade/bin/linuxtrade.wn
    file: /usr/share/linuxtrade/bin/moneyam.helper
Binary-package: freevo (1.8.1-0)
    file: /usr/bin/freevo.real
Binary-package: fml (4.0.3.dfsg-2)
    file: /usr/share/fml/libexec/mead.pl
Binary-package: rkhunter (1.3.2-3)
    file: /usr/bin/rkhunter
Binary-package: openswan (1:2.4.12+dfsg-1.1)
    file: /usr/lib/ipsec/livetest
Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1)
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap
    file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest
Binary-package: aptoncd (0.1-1.1)
    file: /usr/share/aptoncd/xmlfile.py
Binary-package: cdcontrol (1.90-1.1)
    file: /usr/lib/cdcontrol/writtercontrol
Binary-package: newsgate (1.6-23)
    file: /usr/bin/mkmailpost
Binary-package: gpsdrive-scripts (2.10~pre4-3)
    file: /usr/bin/geo-code
Binary-package: impose+ (0.2-11)
    file: /usr/bin/impose
Binary-package: mgt (2.31-5)
    file: /usr/games/mailgo
Binary-package: audiolink (0.05-1)
    file: /usr/bin/audiolink
Binary-package: ibackup (2.27-4.1)
    file: /usr/bin/ibackup
Binary-package: emacspeak (26.0-3)
    file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl
Binary-package: bk2site (1:1.1.9-3.1)
    file: /usr/lib/cgi-bin/bk2site/redirect.pl
Binary-package: datafreedom-perl (0.1.7-1)
    file: /usr/bin/dfxml-invoice
Binary-package: emacs-jabber (0.7.91-1)
    file: /usr/lib/emacsen-common/packages/install/emacs-jabber
Binary-package: lmbench (3.0-a7-1)
    file: /usr/lib/lmbench/scripts/rccs
    file: /usr/lib/lmbench/scripts/STUFF
Binary-package: rancid-util (2.3.2~a8-1)
    file: /var/lib/rancid/getipacctg
Binary-package: ogle (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: firehol (1.256-4)
    file: /sbin/firehol
Binary-package: aview (1.3.0rc1-8)
    file: /usr/bin/asciiview
Binary-package: radiance (3R9+20080530-3)
    file: /usr/bin/optics2rad
    file: /usr/bin/pdelta
    file: /usr/bin/dayfact
    file: /usr/bin/raddepend
Binary-package: vdr-dbg (1.6.0-5)
    file: /usr/bin/vdrleaktest
Binary-package: ogle-mmx (0.9.2-5.2)
    file: /usr/lib/ogle/ogle_audio_debug
    file: /usr/lib/ogle/ogle_cli_debug
    file: /usr/lib/ogle/ogle_ctrl_debug
    file: /usr/lib/ogle/ogle_gui_debug
    file: /usr/lib/ogle/ogle_mpeg_ps_debug
    file: /usr/lib/ogle/ogle_mpeg_vs_debug
    file: /usr/lib/ogle/ogle_nav_debug
    file: /usr/lib/ogle/ogle_vout_debug
Binary-package: convirt (0.8.2-3)
    file: /usr/share/convirt/image_store/_template_/provision.sh
    file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh
    file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh
    file: /usr/share/convirt/image_store/common/provision.sh
    file: /usr/share/convirt/image_store/example/provision.sh
    file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh
Binary-package: printfilters-ppd (2.13-9)
    file: /usr/lib/printfilters/master-filter
Binary-package: r-base-core (2.7.1-1)
    file: /usr/lib/R/bin/javareconf
    file: /usr/lib/R/bin/javareconf.orig
Binary-package: xmcd (2.6-19.3)
    file: /usr/share/xmcd/scripts/ncsarmt
    file: /usr/share/xmcd/scripts/ncsawrap
Binary-package: tiger (1:3.2.2-3.1)
    file: /usr/lib/tiger/util/genmsgidx
Binary-package: scilab-bin (4.1.2-5)
    file: /usr/lib/scilab-4.1.2/bin/scilink
    file: /usr/lib/scilab-4.1.2/util/scidoc
    file: /usr/lib/scilab-4.1.2/util/scidem
Binary-package: dpkg-cross (2.3.0)
    file: /usr/share/dpkg-cross/bin/gccross
Binary-package: ltp-network-test (20060918-2.1)
    file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf
    file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh
Binary-package: cman (2.20080629-1)
    file: /usr/sbin/fence_egenera
Binary-package: scratchbox2 (1.99.0.24-1)
    file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps
    file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings
Binary-package: sendmail-base (8.14.3-5)
    file: /usr/sbin/checksendmail
    file: /usr/bin/expn
Binary-package: fwbuilder (2.1.19-3)
    file: /usr/bin/fwb_install
Binary-package: sng (1.0.2-5)
    file: /usr/bin/sng_regress
Binary-package: dist (1:3.5-17-1)
    file: /usr/bin/patcil
    file: /usr/bin/patdiff
Binary-package: sympa (5.3.4-5)
    file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi
    file: /usr/lib/sympa/bin/sympa.pl
Binary-package: postfix (2.5.2-2)
    file: /usr/lib/postfix_groups.pl
Binary-package: caudium (3:1.4.12-11)
    file: /usr/share/caudium/configvar
Binary-package: mgetty-fax (1.1.36-1.2)
    file: /usr/bin/faxspool
Binary-package: aegis (4.24-3)
    file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh
    file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh
    file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh
    file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh
Binary-package: aegis-web (4.24-3)
    file: /usr/lib/cgi-bin/aegis.cgi
Binary-package: digitaldj (0.7.5-6+b1)
    file: /usr/share/digitaldj/fest.pl
Binary-package: mon (0.99.2-12)
    file: /usr/lib/mon/alert.d/test.alert
Binary-package: feta (1.4.16)
    file: /usr/share/feta/plugins/to-upgrade
Binary-package: arb-common (0.0.20071207.1-4)
    file: /usr/lib/arb/SH/arb_fastdnaml
    file: /usr/lib/arb/SH/dszmconnect.pl
Binary-package: qemu (0.9.1-5)
    file: /usr/sbin/qemu-make-debian-root
Binary-package: apertium (3.0.7+1-1+b1)
    file: /usr/bin/apertium-gen-deformat
    file: /usr/bin/apertium-gen-reformat
    file: /usr/bin/apertium
Binary-package: xcal (4.1-18.3)
    file: /usr/bin/pscal
Binary-package: myspell-tools (1:3.1-20)
    file: /usr/bin/i2myspell
Binary-package: gccxml (0.9.0+cvs20080525-1)
    file: /usr/share/gccxml-0.9/MIPSpro/find_flags
Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4)
    file: /usr/share/freeradius-dialupadmin/bin/backup_radacct
    file: /usr/share/freeradius-dialupadmin/bin/clean_radacct
    file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/tot_stats
    file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct
Binary-package: dhis-server (5.3-1)
    file: /usr/lib/dhis-server/dhis-dummy-log-engine
Binary-package: wims (3.62-13)
    file: /var/lib/wims/public_html/bin/coqweb
    file: /var/lib/wims/bin/account.sh
Binary-package: initramfs-tools (0.92f)
    file: /usr/share/initramfs-tools/init
Binary-package: realtimebattle-common (1.0.8-7)
    file: /usr/lib/realtimebattle/Robots/perl.robot
Binary-package: netmrg (0.20-1)
    file: /usr/bin/rrdedit
Binary-package: bulmages-servers (0.11.1-2)
    file: /usr/share/bulmages/examples/scripts/actualizabulmacont
    file: /usr/share/bulmages/examples/scripts/installbulmages-db
    file: /usr/share/bulmages/examples/scripts/creabulmafact
    file: /usr/share/bulmages/examples/scripts/creabulmacont
    file: /usr/share/bulmages/examples/scripts/actualizabulmafact
Binary-package: xastir (1.9.2-1)
    file: /usr/lib/xastir/get-maptools.sh
    file: /usr/lib/xastir/get_shapelib.sh
Binary-package: plait (1.5.2-1)
    file: /usr/bin/plaiter
    file: /usr/bin/plait
Binary-package: cdrw-taper (0.4-2)
    file: /usr/sbin/amlabel-cdrw
Binary-package: konwert-filters (1.8-11.1)
    file: /usr/share/konwert/filters/any-UTF8
Binary-package: gdrae (0.1-1)
    file: /usr/bin/gdrae
Binary-package: lazarus-src (0.9.24-0-9)
    file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh




Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#496375; Package rkhunter. Full text and rfc822 format available.

Acknowledgement sent to Julien Valroff <julien@kirya.net>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #10 received at submit@bugs.debian.org (full text, mbox):

From: Julien Valroff <julien@kirya.net>
To: "Dmitry E. Oboukhov" <dimka@uvw.ru>, 496375@bugs.debian.org
Cc: submit@bugs.debian.org
Subject: Re: Bug#496375: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 11:09:02 +0200
Hi Dmitry,

Le dimanche 24 août 2008 à 22:05 +0400, Dmitry E. Oboukhov a écrit :
> Package: rkhunter
> Severity: grave
> 
> Hi, maintainer!
> 
> This message about the error concerns a few packages  at  once.   I've
> tested all the packages (for Lenny) on my Debian mirror.  All  scripts
> of packages (marked as executable) were tested.
> 
> In some packages I've discovered scripts with errors which may be used
> by a user for damaging important system files or user's files.
> 
> For example if a script uses in its work a temp file which is  created
> in /tmp directory, then every user can create symlink  with  the  same
> name in this directory in order to  destroy  or  rewrite  some  system
> or user file.  Symlink attack may also  lead  not  only  to  the  data
> desctruction but to denial of service as well.

I think rkhunter is safe, given that the script does check that the file
in /tmp is a file (and not a symlink) before using it:

        if [ "$1" = "--debug" ]; then
                if [ -e "/tmp/rkhunter-debug" ]; then
                        if [ -f "/tmp/rkhunter-debug" -a ! -h "/tmp/rkhunter-debug" ]; then
                                rm -f /tmp/rkhunter-debug >/dev/null 2>&1
                        else
                                echo "Cannot use '--debug' option. /tmp/rkhunter-debug already exists, but it is not a file."
                                exit 1
                        fi
                fi

Would you please confirm this is ok so that I can close this bug?

Cheers,
Julien

        





Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#496375; Package rkhunter. Full text and rfc822 format available.

Acknowledgement sent to Julien Valroff <julien@kirya.net>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#496375; Package rkhunter. Full text and rfc822 format available.

Acknowledgement sent to Julien Valroff <julien@kirya.net>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #20 received at 496375@bugs.debian.org (full text, mbox):

From: Julien Valroff <julien@kirya.net>
To: "Dmitry E. Oboukhov" <dimka@uvw.ru>
Subject: Re: Bug#496375: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 12:45:35 +0200
Le lundi 25 août 2008 à 14:02 +0400, Dmitry E. Oboukhov a écrit :
> On 11:09 Mon 25 Aug     , Julien Valroff wrote:
> JV> Hi Dmitry,
> 
> JV> Le dimanche 24 août 2008 à 22:05 +0400, Dmitry E. Oboukhov a écrit :
> JV>> Package: rkhunter
> JV>> Severity: grave
[...]
> JV>> In some packages I've discovered scripts with errors which may be used
> JV>> by a user for damaging important system files or user's files.
> JV>> 
> JV>> For example if a script uses in its work a temp file which is  created
> JV>> in /tmp directory, then every user can create symlink  with  the  same
> JV>> name in this directory in order to  destroy  or  rewrite  some  system
> JV>> or user file.  Symlink attack may also  lead  not  only  to  the  data
> JV>> desctruction but to denial of service as well.
> 
> JV> I think rkhunter is safe, given that the script does check that the file
> JV> in /tmp is a file (and not a symlink) before using it:
> 
> JV> if [ "$1" = "--debug" ]; then
> JV> if [ -e "/tmp/rkhunter-debug" ]; then
> JV> if [ -f "/tmp/rkhunter-debug" -a ! -h "/tmp/rkhunter-debug" ]; then
> JV> rm -f /tmp/rkhunter-debug >/dev/null 2>&1
> JV> else
> JV> echo "Cannot use '--debug' option. /tmp/rkhunter-debug already exists, but it is not a file."
> JV> exit 1
> JV> fi
> JV> fi
> 
> JV> Would you please confirm this is ok so that I can close this bug?
> 
> could you create temp-file as:
> 
> if [ $1 = "--debug" ]; then
>     DEBUG_FILE=`mktemp -t rkhunter-debug.XXXXXXXXXX`
>     ...
>     unsing debug file $DEBUG_FILE
> fi

Sure, but can you explain what this would change in terms of security
and wrt to the bug reported?

Cheers,
Julien





Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#496375; Package rkhunter. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #25 received at 496375@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Julien Valroff <julien@kirya.net>, 496375@bugs.debian.org
Cc: "Dmitry E. Oboukhov" <dimka@uvw.ru>
Subject: Re: Bug#496375: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 12:52:45 +0200
On Mon, Aug 25, 2008 at 11:09:02 +0200, Julien Valroff wrote:

> I think rkhunter is safe, given that the script does check that the file
> in /tmp is a file (and not a symlink) before using it:
> 
>         if [ "$1" = "--debug" ]; then
>                 if [ -e "/tmp/rkhunter-debug" ]; then
>                         if [ -f "/tmp/rkhunter-debug" -a ! -h "/tmp/rkhunter-debug" ]; then
>                                 rm -f /tmp/rkhunter-debug >/dev/null 2>&1
>                         else
>                                 echo "Cannot use '--debug' option. /tmp/rkhunter-debug already exists, but it is not a file."
>                                 exit 1
>                         fi
>                 fi
> 
> Would you please confirm this is ok so that I can close this bug?
> 
This isn't ok.  Your script is still vulnerable to a race condition (if
the symlink is created between when you check for it and when you use
it).

Cheers,
Julien




Reply sent to Julien Valroff <julien@kirya.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 496375-done@bugs.debian.org (full text, mbox):

From: Julien Valroff <julien@kirya.net>
To: "Dmitry E. Oboukhov" <dimka@uvw.ru>
Cc: 496375-done@bugs.debian.org
Subject: Re: Bug#496375: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 13:01:17 +0200
Le lundi 25 août 2008 à 14:53 +0400, Dmitry E. Oboukhov a écrit :
> On 12:44 Mon 25 Aug     , Julien Valroff wrote:
> JV> Le lundi 25 août 2008 à 14:02 +0400, Dmitry E. Oboukhov a écrit :
> JV>> On 11:09 Mon 25 Aug     , Julien Valroff wrote:
> JV>>> Hi Dmitry,
> JV>> 
> JV>>> Le dimanche 24 août 2008 à 22:05 +0400, Dmitry E. Oboukhov a écrit :
> JV>>>> Package: rkhunter
> JV>>>> Severity: grave
> JV> [...]
> JV>>>> In some packages I've discovered scripts with errors which may be used
> JV>>>> by a user for damaging important system files or user's files.
> JV>>>> 
> JV>>>> For example if a script uses in its work a temp file which is  created
> JV>>>> in /tmp directory, then every user can create symlink  with  the  same
> JV>>>> name in this directory in order to  destroy  or  rewrite  some  system
> JV>>>> or user file.  Symlink attack may also  lead  not  only  to  the  data
> JV>>>> desctruction but to denial of service as well.
> JV>> 
> JV>>> I think rkhunter is safe, given that the script does check that the file
> JV>>> in /tmp is a file (and not a symlink) before using it:
> JV>> 
> JV>>> if [ "$1" = "--debug" ]; then
> JV>>> if [ -e "/tmp/rkhunter-debug" ]; then
> JV>>> if [ -f "/tmp/rkhunter-debug" -a ! -h "/tmp/rkhunter-debug" ]; then
> JV>>> rm -f /tmp/rkhunter-debug >/dev/null 2>&1
> JV>>> else
> JV>>> echo "Cannot use '--debug' option. /tmp/rkhunter-debug already exists, but it is not a file."
> JV>>> exit 1
> JV>>> fi
> JV>>> fi
> JV>> 
> JV>>> Would you please confirm this is ok so that I can close this bug?
> JV>> 
> JV>> could you create temp-file as:
> JV>> 
> JV>> if [ $1 = "--debug" ]; then
> JV>>     DEBUG_FILE=`mktemp -t rkhunter-debug.XXXXXXXXXX`
> JV>>     ...
> JV>>     unsing debug file $DEBUG_FILE
> JV>> fi
> 
> JV> Sure, but can you explain what this would change in terms of security
> JV> and wrt to the bug reported?
> 
> in your case script breaks/exits if symlink exists
> in my case script always works :)

Given it is upstream code, and that only debug is "broken" in case the
symlink exists, I think it is better leaving it alone.

> but both cases are ok (for this bug) :)
Thanks for confirming, I hence close this bug.

Cheers,
Julien





Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#496375; Package rkhunter. Full text and rfc822 format available.

Acknowledgement sent to Julien Valroff <julien@kirya.net>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #35 received at 496375@bugs.debian.org (full text, mbox):

From: Julien Valroff <julien@kirya.net>
To: Julien Cristau <jcristau@debian.org>, 496375@bugs.debian.org
Cc: "Dmitry E. Oboukhov" <dimka@uvw.ru>, control@bugs.debian.org
Subject: Re: Bug#496375: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 13:08:38 +0200
package rkhunter
reopen 496375
thanks

Le lundi 25 août 2008 à 12:52 +0200, Julien Cristau a écrit :
> On Mon, Aug 25, 2008 at 11:09:02 +0200, Julien Valroff wrote:
> 
> > I think rkhunter is safe, given that the script does check that the file
> > in /tmp is a file (and not a symlink) before using it:
> > 
> >         if [ "$1" = "--debug" ]; then
> >                 if [ -e "/tmp/rkhunter-debug" ]; then
> >                         if [ -f "/tmp/rkhunter-debug" -a ! -h "/tmp/rkhunter-debug" ]; then
> >                                 rm -f /tmp/rkhunter-debug >/dev/null 2>&1
> >                         else
> >                                 echo "Cannot use '--debug' option. /tmp/rkhunter-debug already exists, but it is not a file."
> >                                 exit 1
> >                         fi
> >                 fi
> > 
> > Would you please confirm this is ok so that I can close this bug?
> > 
> This isn't ok.  Your script is still vulnerable to a race condition (if
> the symlink is created between when you check for it and when you use
> it).

Thanks for your precision.
I hence re-open the bug.

What can I do to prevent this?
Dmitry suggested using mktemp, but this would only *reduce* the
probability of exploiting this race condition.

Would this be acceptable?

Julien





Bug reopened, originator not changed. Request was from Julien Valroff <julien@kirya.net> to control@bugs.debian.org. (Mon, 25 Aug 2008 11:12:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#496375; Package rkhunter. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #42 received at 496375@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Julien Valroff <julien@kirya.net>, 496375@bugs.debian.org
Cc: Julien Cristau <jcristau@debian.org>, "Dmitry E. Oboukhov" <dimka@uvw.ru>
Subject: Re: Bug#496375: The possibility of attack with the help of symlinks in some Debian packages
Date: Mon, 25 Aug 2008 14:55:46 +0100
[Message part 1 (text/plain, inline)]
This one time, at band camp, Julien Valroff said:
> What can I do to prevent this?  Dmitry suggested using mktemp, but
> this would only *reduce* the probability of exploiting this race
> condition.

No, it pretty much eliminates it.  mktemp is clever enough to give you a
unique filename that doesn't currently exist and create the file before
returning.  Once mktemp has made the file, assuming correct permissions
on /tmp, an attacker can't replace it with a symlink, so this is as safe
as tempfile usage gets.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Reply sent to Julien Valroff <julien@kirya.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Dmitry E. Oboukhov" <dimka@uvw.ru>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #47 received at 496375-close@bugs.debian.org (full text, mbox):

From: Julien Valroff <julien@kirya.net>
To: 496375-close@bugs.debian.org
Subject: Bug#496375: fixed in rkhunter 1.3.2-6
Date: Mon, 25 Aug 2008 17:17:04 +0000
Source: rkhunter
Source-Version: 1.3.2-6

We believe that the bug you reported is fixed in the latest version of
rkhunter, which is due to be installed in the Debian FTP archive:

rkhunter_1.3.2-6.diff.gz
  to pool/main/r/rkhunter/rkhunter_1.3.2-6.diff.gz
rkhunter_1.3.2-6.dsc
  to pool/main/r/rkhunter/rkhunter_1.3.2-6.dsc
rkhunter_1.3.2-6_all.deb
  to pool/main/r/rkhunter/rkhunter_1.3.2-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496375@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Valroff <julien@kirya.net> (supplier of updated rkhunter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 25 Aug 2008 18:31:39 +0200
Source: rkhunter
Binary: rkhunter
Architecture: source all
Version: 1.3.2-6
Distribution: unstable
Urgency: low
Maintainer: Micah Anderson <micah@debian.org>
Changed-By: Julien Valroff <julien@kirya.net>
Description: 
 rkhunter   - rootkit, backdoor, sniffer and exploit scanner
Closes: 496375
Changes: 
 rkhunter (1.3.2-6) unstable; urgency=low
 .
   * Added patch to fix race condition when using --debug option
     (Closes: #496375)
Checksums-Sha1: 
 5e0a1556cd9aecae37e2969425c31ca2b7f6a1b8 1205 rkhunter_1.3.2-6.dsc
 10b29b9d0bc731ebebab22c7abf44b100f232816 24343 rkhunter_1.3.2-6.diff.gz
 c2ce6f0873d76a157ede953c744cd7395f6dbeaf 178782 rkhunter_1.3.2-6_all.deb
Checksums-Sha256: 
 8b2370fac4f80b5683107a9a10f8b0410013592e88e717426f2dd58ad48ef418 1205 rkhunter_1.3.2-6.dsc
 6ed9b9dbeec68764cd57246aabb24f7ddcc0b1c63cd462246bd21d5632dd70dc 24343 rkhunter_1.3.2-6.diff.gz
 cd3d31ab822d14f288a1461ba85746885d50de2c54f48f653401994b02773f94 178782 rkhunter_1.3.2-6_all.deb
Files: 
 64430eec71eed960e869f3d7c355c3d5 1205 admin optional rkhunter_1.3.2-6.dsc
 683865d8c22d6fd51542cfc50be774a4 24343 admin optional rkhunter_1.3.2-6.diff.gz
 68f94fe2f3e2a5329255375ac210c89e 178782 admin optional rkhunter_1.3.2-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiy5dMACgkQIQvyq59x1EmyhgCeIGx5J9HKtjBXb61JEOG4Ajj5
KYsAoKO7SrM/1VJqYgyfAvy8VJ7gmA0t
=5fMp
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#496375; Package rkhunter. Full text and rfc822 format available.

Acknowledgement sent to Solar Designer <solar@openwall.com>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #52 received at 496375@bugs.debian.org (full text, mbox):

From: Solar Designer <solar@openwall.com>
To: 496375@bugs.debian.org
Subject: Re: Bug#496375: The possibility of attack with the help of symlinks in some Debian packages
Date: Wed, 27 Aug 2008 04:00:31 +0400
FWIW, I happened to independently notice this and report it upstream a
week ago:

https://sourceforge.net/tracker/?func=detail&atid=794190&aid=1971965&group_id=155034

"While I am at it, I suggest that you change /tmp/rkhunter-debug to
/var/run/rkhunter-debug.  Right now, you have a security hole allowing for
local root compromise, although indeed the race condition is hard to
trigger in practice.

To those reading this: please note that this suggestion by no means
constitutes a security review of rkhunter by me."

I notice that the Debian package was fixed to use mktemp; I think that a
fixed filename under /var/run would be better in this case.  Also,
rkhunter could be patched to enforce mode 600 on the file, regardless of
umask.  (mktemp does that, but when a fixed filename under /var/run is
used instead, that would need to be explicit.)  Oh, and I was probably
wrong about the race condition being hard to trigger - I forgot about
directory notifications for a moment.

Also, when using mktemp it is important to check for possible failure of
mktemp - e.g., with "|| exit" on the line (which propagates mktemp's
exit code to that of the script).  On Openwall GNU/*/Linux (Owl), we use
the following shell script snippets for "real" temporary files (which
are meant to be gone when the script terminates), as documented in
Owl/doc/CONVENTIONS -

| It's better to not use temporary files, however if you must, the
| preferred way to do it from shell scripts is with code like this:
| 
| 	TMPFILE="`mktemp -t program.XXXXXXXXXX`" || exit
| 	trap 'rm -f -- "$TMPFILE"' EXIT
| 	trap 'trap - EXIT; rm -f -- "$TMPFILE"; exit 1' HUP INT QUIT TERM
| 
| To create temporary directories, use:
| 
| 	TMPD="`mktemp -dt program.XXXXXXXXXX`" || exit
| 	trap 'rm -rf -- "$TMPD"' EXIT
| 	trap 'trap - EXIT; rm -rf -- "$TMPD"; exit 1' HUP INT QUIT TERM

Alexander




Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#496375; Package rkhunter. Full text and rfc822 format available.

Acknowledgement sent to Julien Valroff <julien@kirya.net>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #57 received at 496375@bugs.debian.org (full text, mbox):

From: Julien Valroff <julien@kirya.net>
To: Solar Designer <solar@openwall.com>, 496375@bugs.debian.org
Subject: Re: Bug#496375: The possibility of attack with the help of symlinks in some Debian packages
Date: Wed, 27 Aug 2008 09:06:58 +0200
Hi Alexander,

Many thanks for your email.
I have been willing to review rkhunter bugs before submitting it.

Le mercredi 27 août 2008 à 04:00 +0400, Solar Designer a écrit :
> FWIW, I happened to independently notice this and report it upstream a
> week ago:
> 
> https://sourceforge.net/tracker/?func=detail&atid=794190&aid=1971965&group_id=155034
> 
> "While I am at it, I suggest that you change /tmp/rkhunter-debug to
> /var/run/rkhunter-debug.  Right now, you have a security hole allowing for
> local root compromise, although indeed the race condition is hard to
> trigger in practice.
> 
> To those reading this: please note that this suggestion by no means
> constitutes a security review of rkhunter by me."
> 
> I notice that the Debian package was fixed to use mktemp; I think that a
> fixed filename under /var/run would be better in this case.  Also,
> rkhunter could be patched to enforce mode 600 on the file, regardless of
> umask.  (mktemp does that, but when a fixed filename under /var/run is
> used instead, that would need to be explicit.)  Oh, and I was probably
> wrong about the race condition being hard to trigger - I forgot about
> directory notifications for a moment.

I am far from being a security expert.
Do you suggest that using /var/run/rkhunter-debug is better
than /tmp/rkhunter-debug.XXXXXXXX (created using mktemp)?
or is that still using mktemp to create a /var/run/rkhunter-debug.XXXXXX
file?

Can you explain why it is more secure? I am ready to patch rkhunter
debian package, but need to be sure I understand well what I do!

Thanks again for your help.

Cheers,
Julien





Information forwarded to debian-bugs-dist@lists.debian.org, Micah Anderson <micah@debian.org>:
Bug#496375; Package rkhunter. Full text and rfc822 format available.

Acknowledgement sent to Solar Designer <solar@openwall.com>:
Extra info received and forwarded to list. Copy sent to Micah Anderson <micah@debian.org>. Full text and rfc822 format available.

Message #62 received at 496375@bugs.debian.org (full text, mbox):

From: Solar Designer <solar@openwall.com>
To: Julien Valroff <julien@kirya.net>
Cc: 496375@bugs.debian.org
Subject: Re: Bug#496375: The possibility of attack with the help of symlinks in some Debian packages
Date: Wed, 27 Aug 2008 11:24:23 +0400
On Wed, Aug 27, 2008 at 09:06:58AM +0200, Julien Valroff wrote:
> Do you suggest that using /var/run/rkhunter-debug is better
> than /tmp/rkhunter-debug.XXXXXXXX (created using mktemp)?

Yes - primarily from usability standpoint.  This time, having a fixed
filename is better, and since rkhunter needs to be run as root anyway
(does it?), /var/run should do and be safe.  However, if I am wrong in
my assumption that rkhunter requires root, then indeed /var/run is not
appropriate - and the mktemp approach makes sense.

> or is that still using mktemp to create a /var/run/rkhunter-debug.XXXXXX
> file?

No.

> Can you explain why it is more secure?

That was not the point I was making.  Rather, the point was/is that
mktemp is normally used for program-internal and truly temporary files,
and this time we have a file that is meant to be accessed by a human
user - so a fixed filename in a directory only writable by root may be
more appropriate.  However, once again, if rkhunter may reasonably be
run by non-root (I just don't know, I've never used rkhunter), then
"mktemp -t ..." may be appropriate as it will retain that capability.

Alexander




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 10:00:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 03:35:29 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.