OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jarno Huuskonen (Jarno.Huuskonenuku.fi)
Date: Thu May 31 2001 - 05:15:26 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

         ------------------------------------------------------------
                 Imp-2.2.4 creates insecure temporary files.
                            Jarno.Huuskonenuku.fi
                                Thu May 31 2001
         ------------------------------------------------------------

    Author:
     Jarno Huuskonen <Jarno.Huuskonenuku.fi>

    Discovered:
     Wed 16 May 2001

     Horde project 'dev' mailing list contacted on Fri 18 May 2001[1].
     Imp-2.2.5 is available from http://www.horde.org/imp/

    Platforms:
     Only tested imp-2.2.4 on Linux and AIX (with php-4.0.5/php-3.0.18)
     but AFAIK all platforms are affected.

    Severity:
     Possible local file overwrite (symlink attack). (For more information
     about race conditions see[2]).

    Abstract:
     Imp-webmail uses predictable temporary filenames when handling
     uploaded attachments or when 'viewing' attachments.

    Details:
     Uploaded attachments:
     When a user composes a new email all the attachments are uploaded to
     the webmail server. First PHP handles the file upload and creates a
     temporary file (the file is created in php.ini 'upload_tmp_dir' or
     /tmp). The temporary filename is something like /tmp/phpXXXXXX
     (where X's are 'random'). After this imp's compose.php3 copies this
     temporary file for safekeeping.
     The destination filename imp uses is /tmp/phpXXXXXX.att, but imp fails
     to check if the destination exists (and the destination file is opened
     without the O_EXCL flag). So the attacker can watch /tmp (or
     upload_tmp_dir) for phpXXXXXX files and then quickly create a symlink:
     'ln -s /tmp/phpXXXXXX.att /to/webserver_writable_file'
     
    Attachment viewers:
     Imp can use external viewers for viewing email attachments like
     zip-files. Before calling these viewers imp (imp/lib/mimetypes.lib)
     saves the attachment into a temporary file. These filenames are
     something like: /tmp/imp.'.date('Y-M-D_H:i:s').'__'.md5($contents).
     So the filename is quite easy to guess and the file is opened
     without O_EXCL (so creating a bunch of /tmp/imp.... symlinks is also
     possible) (Note: Jon Parise has discovered this earlier[3]).

    Solution:
     Upgrade to imp-2.2.5 and use the 'upload_tmp_dir' directive (php.ini)
     to define a directory where uploaded files should go (see
     imp/docs/SECURITY for more information).

     Note: Imp-2.2.5 uses the PHP tempnam function for creating temporary
     files. With PHP versions earlier than 4.0.3? the tempnam function
     doesn't use mkstemp (so it has a race condition) so upgrading to
     PHP-4.0.5 or patching PHP-3.0.18 to use mkstemp is advisable[4].

    Credits:
     I would like to thank the horde team for creating a great webmail
     interface.

    References:
    1.
     devhorde.org discussion about imp tempfile problems.
     http://marc.theaimsgroup.com/?t=99018545400001&w=2&r=1

    2.
     David A. Wheeler: Secure Programming for Linux and Unix HOWTO.
     http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html

    3.
     Patch for the imp/lib/mimetypes.lib temp file problem.
     http://marc.theaimsgroup.com/?l=horde-dev&m=97528008715710&w=2

    4.
     PHP tempnam function.
     http://marc.theaimsgroup.com/?l=php-dev&m=97972576709196&w=2
     http://marc.theaimsgroup.com/?t=94184107200002&w=2&r=1
     http://marc.theaimsgroup.com/?t=96811361900003&w=2&r=1
     http://marc.theaimsgroup.com/?t=96683455000001&w=2&r=1

    -Jarno

    -- 
    Jarno Huuskonen <Jarno.Huuskonenuku.fi>