OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Lionel Cons (lionel.conscern.ch)
Date: Wed Mar 28 2001 - 08:11:12 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Solar Designer <solaropenwall.com> writes:
    >
    > On Tue, Mar 27, 2001 at 11:41:25AM +0200, Lionel Cons wrote:
    > > 1) there is a race condition between the lstat() to detect a symbolic
    > > link and the actual chdir()
    >
    > > 2) an attacker can move directories while find is _inside_ so that
    > > chdir(..) goes out of the intended file tree.
    > >
    > > Fix: keep track of the parent inodes (which is done anyway to detect
    > > loops, see the variable dir_ids in find.c) and lstat(.) after the
    > > chdir(..) to make sure that we ended up in the right directory.
    >
    > This would allow for a DoS attack against find itself (it'd have to
    > abort if .. changed).
    >
    > > Another fix would be to remember the parent file descriptor and use
    > > fchdir().
    >
    > This I think is a better fix.

    And what about systems without fchdir()? It's better to abort than to
    go out of control...

    The best approach is likely to be a combo: fchdir() when available,
    extra checks and abort otherwise.

    > > I reported these bugs 18 months ago but they haven't been fixed so
    > > far. It seems that the current findutils maintainer hasn't got enough
    > > time/will to incorporate these fixes.
    >
    > Have you tried providing a patch? Do you have one?

    I did send him a patch against findutils 4.1.1 in November 1999. I can
    easily clean it up against the current version, 4.1.6.

    > > The find command is very useful for system tasks like cleaning /tmp
    >
    > To use find for cleaning /tmp, you'd also need either -execdir (the
    > OpenBSD approach) or -delete (a patch to implement it was on Bugtraq
    > some years ago and we include it in Owl). I think at least one of
    > these should get into GNU find as well.

    Neither -execdir nor -delete is in findutils 4.1.6.

    A stupid question: are the sources of Owl (at least for findutils)
    available?

    It would help to all use the same bullet-proof basic utilities...

    ________________________________________________________
    Lionel Cons http://home.cern.ch/~cons
    CERN http://www.cern.ch
     
    Nixon's Theorem
            The man who can smile when things go wrong has thought of someone he
            can blame it on.