OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Paul Szabo (psz_at_maths.usyd.edu.au)
Date: Sun Jan 05 2003 - 15:39:21 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    INTRODUCTION

    S-PLUS is a Statistical analysis, graphics and programming tool
    http://www.statsci.com/
    http://www.insightful.com/

    PROBLEM

    As installed on UNIX machines, Splus uses files in /tmp in an unsafe way.

    DETAILS

    The main Sqpe binary, and various shell script modules, use files in /tmp:

    splus/6.0/cmd/Sqpe
            Clobbers /tmp/__F$$:
            open("/tmp/__F8499", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

    splus/6.0/cmd/PRINT
            Clobbers /tmp/PRINT.$$.out

    splus/6.0/cmd/mustfix.hlinks
            Clobbers /tmp/SUBST$PID.TXT /tmp/ed.cmds$PID

    splus/6.0/cmd/sas_get
            May clobber and use /tmp/file.1 /tmp/file.2

    splus/6.0/cmd/sas_vars
            May clobber and use /tmp/file.1

    splus/6.0/cmd/sgml2html
            Clobbers /tmp/sgml2html$$tmp /tmp/sgml2html$$tmp1 /tmp/sgml2html$$tmp2

    Suppose an attacker creates a symlink from any of the "clobbered" files to
    one owned by the victim: guesses the PID that will be used, does

      ln -s ~victim/.profile /tmp/__F123

    and waits for the victim to use Splus, then the victim's .profile will be
    trashed. Some or all of these attacks may then be escalated to arbitrary
    command execution; if root ever uses Splus then the damage is much greater.

    It might be argued that it is hard to guess what PID will be used next.
    It is easy enough to create a few thousand symlinks with likely PIDs; in
    fact the attacker could create a symlink for every possible PID (as these
    normally range from 0 to 32k or 64k).

    VENDOR COMMUNICATION

     5 Dec 2002 StatSci/Insightful notified about shell scripts
     9 Dec 2002 Insightful notified about Sqpe
    11 Dec 2002 We are currently investigating
    17 Dec 2002 continuing to look into your queries
    18 Dec 2002 anticipate tmpfile() ... in the next release
    26 Dec 2002 Another list might be http://www.biostat.wustl.edu/s-news/

    WORKAROUND/PATCH

    The scripts could be patched trivially using one of the textbook methods,
    e.g. using a safe directory:
      mkdir -m 700 /tmp/mydir$$ || exit 1
      ... do things to /tmp/mydir$$/myfile ...
      rm -rf /tmp/mydir$$

    Fixing Sqpe is harder. Could (safely) pre-create /tmp/__F$$ e.g.:

    *** splus/6.0/cmd/NEW.old Tue Oct 10 16:06:37 2000
    --- splus/6.0/cmd/NEW Tue Dec 24 09:15:59 2002
    ***************
    *** 9,13 ****
    --- 9,19 ----
      then
              echo $target not found; exit 1
      fi
    + set -e
    + umask 077
    + mkdir /tmp/F$$
    + touch /tmp/F$$/__F$$
    + mv -i /tmp/F$$/__F$$ /tmp </dev/null
    + rmdir /tmp/F$$
      exec $target
      
    but Sqpe would still be open to races as it repeatedly open()s and
    unlink()s that file. A proper fix will have to come from the vendor.

    SIGNATURE

    Paul Szabo - pszmaths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
    School of Mathematics and Statistics University of Sydney 2006 Australia