<<< Date Index >>>     <<< Thread Index >>>

Re: bzip2 TOCTOU file-permissions vulnerability



In-Reply-To: <7389fc4b0503301338f74a428@xxxxxxxxxxxxxx>

>================================
>bzip2 TOCTOU file-permissions vulnerability 
>================================
>
>Software: bzip2
>Version: 1.0.2
>Software URL: <http://sources.redhat.com/bzip2/>
>Platform:  Unix, Linux.
>Vulnerability type: Time-of-Check-Time-Of-Use
>Severity: Low, requires local attacker and badly set
>directory permissions.


This is completely wrong. If you look at the code to bzip2.c, you'll see that 
it calls fopen_output_safely(). This function in turn does an

open(name,  O_WRONLY|O_CREAT|O_EXCL, S_IWUSR|S_IRUSR);

This means the file is opened with perms 0600.

>Vulnerable software
>====================
>
>bzip2 1.0.2 and previous versions running on unix. 
>
>bzip2 1.0.2 compiled for Windows using lcc or MS
>Visual C++  is not effected.

Wrong again. In fopen_output_safely, if BZ_UNIX is not set, the it resorts to 
fopen. Looking at the manual_3.html page, it says that on Win32 you set this 
define to 0. Therefore windows might be vulnerable.

>Vulnerability
>============== 
>
>If a malicious local user has write access to a
>directory in which a target user is using bzip2 to
>extract or compress a file to then a TOCTOU bug can 
>be exploited to change the permission of any file
>belonging to that user.

Wrong. They must be logged in as that user. Remember, perms on tmp file was 
0600.

>Fix
>====
>
>Ensure that any directory which is being used by 
>bzip2 to compress/decompress files is only writeable
>by the user or alternatively set the sticky bit on the
>directory's permissions

According to changelog, this was fixed in 1.0.2. So, 1.0.1 and earlier might be 
a problem. This report is wrong in almost all aspects.

-Steve Grubb