Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 6 Mar 2020 14:46:35 +0100
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: CVE-2020-10174: timeshift: arbitrary local code execution due to
 unsafe usage of temporary directory in /tmp/timeshift

Hello list,

in the course of a security review [1] for the Timeshift backup program
[2] I discovered a local root exploit vulnerability [3] in Timeshift.

== Analysis

The problem is found in the source file TeeJee.Process.vala [3]. There
in `init_tmp()` a temporary directory for use by the Timeshift program
is setup. The TEMP_DIR path variable is setup like this:

```
TEMP_DIR = Environment.get_tmp_dir() + "/" + subdir_name + "/" + random_string();
```

This results in a path like /tmp/timeshift/wytOlUJg, for example. Only
the last part of the path is unpredictable, the /tmp/timeshift
directory, however, is constant and fully predictable. Timeshift does
not perform any checks regarding the trustworthyness of a pre-existing
/tmp/timeshift directory, or whether it might be a symlink. A typical
no-op run of timeshift causes the following (filtered) system call
sequence:

```
lstat("/tmp/timeshift/L00qsHH5", 0x7fffb14adfd0) = -1 ENOENT (No such file or directory)
mkdir("/tmp/timeshift/L00qsHH5", 0777) = 0
lstat("/tmp/timeshift/L00qsHH5/15833214581345651125.sh", 0x7fffb14adf10) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/tmp/timeshift/L00qsHH5/15833214581345651125.sh", O_WRONLY|O_CREAT|O_EXCL, 0666) = 7
execve("/usr/bin/chmod", ["chmod", "u+x", "/tmp/timeshift/L00qsHH5/15833214"...], 0x7fffb14ae3f0 /* 63 vars */
stat("/tmp/timeshift/L00qsHH5/15833214581345651125.sh", {st_mode=S_IFREG|0644, st_size=102, ...}) = 0
fchmodat(AT_FDCWD, "/tmp/timeshift/L00qsHH5/15833214581345651125.sh", 0744) = 0
chdir("/tmp/timeshift/L00qsHH5") = 0
execve("/tmp/timeshift/L00qsHH5/15833214581345651125.sh", ["/tmp/timeshift/L00qsHH5/15833214"...], 0x55f02814cfe0 /* 63 vars */
```

The `execve()` at the end is the result of the line
`exec_script_sync("echo 'ok'",out std_out,out std_err, true)` which is
also part of the `init_tmp()` function.

An unprivileged local attacker can pre-create the `/tmp/timeshift`
directory and wait for a Timeshift process running as root to create the
unpredictable sub-directory like /tmp/timeshift/L00qsHH5 and the shell
script like 15833214581345651125.sh in there. Then the attacker only
needs to replace this directory and script by his own ones in time,
resulting in arbitrary code execution as root.

A more simple proof of concept to show the problem is what happens when
a symlink is placed in /tmp/timeshift:

```
user$ ln -s /root /tmp/timeshift
```

This will cause timeshift to create temporary data in /root instead of
in /tmp.

For fixing this issue I suggest to remove the predictable prefix (in
this case "timeshift") from the TEMP_DIR path. Also the unpredictable
temporary directory created by timeshift should not be world readable
i.e. it should get mode 0750 to prevent that other users in the system
might obtain sensitive temporary data from the timeshift execution.
Currently these directories are created with mode 0755 by timeshift (or
more precisely, the mode is only modified by the calling user's umask,
which is 0022 by default).

== Bugfix and Affectedness

The issue seems to have been present at least since the commit 9538300e
[6] which first went into the v17.2 version tag.

The upstream author fixed the issue according to my recommendations in
commit 335b3d5398079278b8f7094c77bfd148b315b462 [4] which is also part
of a new release v20.03 [5].

== Timeline

I reported this privately to the upstream author on 2020-03-04 and he
publically fixed the issue on the following day already.

== References

[1]: https://bugzilla.suse.com/show_bug.cgi?id=1165436
[2]: https://github.com/teejee2008/timeshift
[3]: https://bugzilla.suse.com/show_bug.cgi?id=1165802
[4]: https://github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462
[5]: https://github.com/teejee2008/timeshift/releases/tag/v20.03
[6]: https://github.com/teejee2008/timeshift/commit/9538300e

Best Regards

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Felix Imendörffer


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.