[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Vulnerability in libtool 1.5
From: |
Stefan Nordhausen |
Subject: |
Re: Vulnerability in libtool 1.5 |
Date: |
Sat, 3 Jan 2004 11:30:27 +0100 |
User-agent: |
KMail/1.5.1 |
On Saturday 03 January 2004 05:17, you wrote:
> Which will only remove the symlink. Pointing the symlink at anything
> other than a directory will cause the mkdir to fail, even with -p.
You are right. I shouldn't try to write exploits so late in the evening.
> There's no other instance of any rm command, so the most devastating
> thing they can do is cause the temporary output files to not be deleted.
This one is wrong though. Assuming the user running ltmain is root: You create
symlinks to /home. This will cause mkdir -p to be happy, but chmod 700 will
_follow_ symlinks and chmod /home to 700. As a result users will not be able
to access their home directories.
You can also attempt to exploit this as a race condition: Symlinks to
/tmp/whatever will cause a directory to be created. When that directory
appears you simply _change_ your symlink to point somewhere else. If you're
fast enough you can set any file on the system to mode 700 (very bad if that
hits /bin/bash or /bin/mkdir or ...).
> RedHat patch libtool with a far better solution to this that attempts to
> use mktemp to generate a unique name instead.
But the patch provided by you still contains this line:
if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir";
Due to the -p option the call to mkdir remains insecure on systems where
mktemp is not installed.
Regards
Stefan