Security vulnerability in automake

automake

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security vulnerability in automake

From:	Lawrence Teo
Subject:	Security vulnerability in automake
Date:	Sat, 01 Jun 2002 18:28:52 -0400

I was learning Automake last night, and I think I found a security
vulnerability. I'm not sure if this is already known, but I couldn't
find it on Bugtraq. The security vulnerability is the insecure
creation of temporary files in the config.guess script which leads
to a race condition.

In the config.guess script, there's a line that says:

dummy=dummy-$$

And further down...

echo "int dummy(){}" > $dummy.c ;

An attacker can create a number of symbolic links called
dummy-PID.c pointing to important files like /etc/passwd. PID in
this case would be the attacker's guesses on what the PID of the
config.guess script will run as. If root runs ./configure in a
source tree containing these malicious symlinks, and if the
configure script in turn runs config.guess, the /etc/passwd file
may potentially be overwritten with "int dummy(){}", resulting in
a denial of service attack.

Of course, we all know root shouldn't be running configure, but I
still feel that this is a potential vulnerability that needs to be
fixed.

Apart from dummy-$$.c, the other temporary files that are created
are dummy-$$.s and dummy-$$.rel.

My recommendations are:

1. Check if the dummy file exists. If it does, append a number to
  it. If that still exists, keep changing that number until we
  come up with a filename that does not already exist (this is
  similar to mutt's temporary files /tmp/mutt-HOSTNAME-PID-SOMENUM);
  or

2. Use a random hash value instead of the process ID ($$), which
  would be the preferred alternative. However, I don't know how
  feasible it is to do this in a simple, portable way that's
  consistent with Automake.

I've written a proof-of-concept exploit in C, which was pretty trivial
to write. If anyone's interested (and if it's appropriate), I'll post
the code here.

I've tested this on:

automake 1.4p4 on Debian GNU/Linux 3.0 (testing)
automake 1.5 on Slackware 8.0 current

Other automake versions may be vulnerable as well. The line also
appears in config.guess of automake 1.6.1, but I did not test it.

Lawrence Teo

--
Lawrence Teo
lcteo at uncc dot edu
http://www.coe.uncc.edu/~lcteo

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

[Prev in Thread]

Current Thread

[Next in Thread]

Security vulnerability in automake, Lawrence Teo <=
- Re: Security vulnerability in automake, Lars Hecking, 2002/06/02
- Re: Security vulnerability in automake, Allan Clark, 2002/06/07
  - Re: Security vulnerability in automake, Bruce Korb, 2002/06/07
- Re: Security vulnerability in automake, Lawrence Teo, 2002/06/02
- Re: Security vulnerability in automake, Lawrence Teo, 2002/06/07
  - Re: Security vulnerability in automake, Bernd Jendrissek, 2002/06/07
    - Re: Security vulnerability in automake, David Lee, 2002/06/10
    - Re: Security vulnerability in automake, Allan Clark, 2002/06/10
- Re: Security vulnerability in automake, Lawrence Teo, 2002/06/07
- Re: Security vulnerability in automake, Lawrence Teo, 2002/06/10

Prev by Date: HelpSpain
Next by Date: (no subject)
Previous by thread: HelpSpain
Next by thread: Re: Security vulnerability in automake
Index(es):
- Date
- Thread