Ethereal-dev: Re: [ethereal-dev] Security race in ethereal leading to root access
On Fri, Jul 30, 1999 at 08:21:40AM -0500, Richard Sharpe wrote:
>
>
> Hi,
>
> I was talking with Andrew Tridgell last night about Ethereal, and he likes
> it. However, while we were looking at something we found what looks like
> an exploitable race in Ethereal.
>
> Capture.c calls tempnam to create a temporary name for the capture file,
> and this seems to call pcap_dump_file or some other routine to open the
> file.
>
> An strace shows the following:
>
> open ("/tmp/ether00688aaa", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 9
>
> That is, it is not opened with O_EXCL, which means some who is creating
> links with the correct pattern has a possibility to create a link to
> /etc/passwd between when we create the name and open the file ...
>
> Does anyone know how to fix this? Perhaps we should call mkstemp and pass
> a file descriptor to pcap instead?
It will be hard to pass pcap a file descriptor; the API only provides
us the ability to send it a file name. Furthermor, pcap_t contains
a FILE*, not a file descriptor.
mkstemp() would indeed give us a file guaranteed to be ours, and not
linked to another file (/etc/passwd, e.g.).
Glibc mkstemp(char*) modifies the character array that we pass it, so
we do have access to the resulting random file name. Do all mkstemp()'s do
this?
If we then have the filename, can we close our file descriptor, then
pass the filename to pcap, can we be assured that nothing happened to that
file that we created? Can we chmod() that file while we have the file
descriptor open so that only the user (root) can modify that file, then
close the fd, and pass pcap the filename?
--gilbert
