[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerability in libtool 1.5

From: Stefan Nordhausen
Subject: Re: Vulnerability in libtool 1.5
Date: Sat, 3 Jan 2004 11:30:27 +0100
User-agent: KMail/1.5.1

On Saturday 03 January 2004 05:17, you wrote:
> Which will only remove the symlink.  Pointing the symlink at anything
> other than a directory will cause the mkdir to fail, even with -p.

You are right. I shouldn't try to write exploits so late in the evening.

> There's no other instance of any rm command, so the most devastating
> thing they can do is cause the temporary output files to not be deleted.

This one is wrong though. Assuming the user running ltmain is root: You create 
symlinks to /home. This will cause mkdir -p to be happy, but chmod 700 will 
_follow_ symlinks and chmod /home to 700. As a result users will not be able 
to access their home directories.
You can also attempt to exploit this as a race condition: Symlinks to 
/tmp/whatever will cause a directory to be created. When that directory 
appears you simply _change_ your symlink to point somewhere else. If you're 
fast enough you can set any file on the system to mode 700 (very bad if that 
hits /bin/bash or /bin/mkdir or ...).

> RedHat patch libtool with a far better solution to this that attempts to
> use mktemp to generate a unique name instead.

But the patch provided by you still contains this line:
  if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir";
Due to the -p option the call to mkdir remains insecure on systems where 
mktemp is not installed.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]