Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Jan 2014 09:57:27 +0100
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Cc: "support@...sion.nl" <support@...sion.nl>, Jakub Wilk <jwilk@...ian.org>
Subject: Re: CVE request: temporary file issue in Passenger rubygem

Hi,

On 29 January 2014 00:23, Vincent Danen <vdanen@...hat.com> wrote:
> Phusion Passenger creates a "server instance directory" in /tmp during startup,
> which is a temporary directory that Phusion Passenger uses to store working files.
> This directory is deleted after Phusion Passenger exits. For various technical
> reasons, this directory must have a semi-predictable filename. If a local attacker
> can predict this filename, and precreates a symlink with the same filename that
> points to an arbitrary directory with mode 755, owner root and group root, then
> the attacker will succeed in making Phusion Passenger write files and create
> subdirectories inside that target directory.

Ah, nice catch Jakub. Needless to say, this is related to but
different from CVE-2013-4136.

One thing to notice, however, is that there's a race condition between
the stat check introduced in 34b1087870c2.
The following sequence still triggers the bogus behaviour:

<user> mkdir $dir
<phusion> lstat() (getFileTypeNoFollowSymlinks)
<user> rmdir $dir
<user> ln -s /target $dir
<phusion> stat() (from verifyDirectoryPermissions)
...

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ