<<< Date Index >>>     <<< Thread Index >>>

rpdump TOCTOU file-permissions vulnerability



================================
rpdump TOCTOU file-permissions vulnerability
================================

Software: rpdump (part of the Pine mail package)
Version: Pine 4.62
Software URL: <http://www.washington.edu/pine/>
Platform:  Unix, Linux.
Vulnerability type: Time-of-Check-Time-Of-Use
Severity: Low
Attacker requires: local user account, write access to directory
rpdump used in (directories with sticky bits such as /tmp are
vulnerable).
Attack result: over-writing of arbitary file belonging to user

Vulnerable software
====================

rpdump included with Pine 4.62 and previous versions running on unix.

Vulnerability
==============

rpdump checks the local file it is creating doesn't already exist
using the following code in rcdump.c:

    if(access(local, ACCESS_EXISTS) == 0){
        if(access(local, WRITE_ACCESS) == 0){

            sprintf(buf, "Local file \"%.20s\" exists, overwrite it",
                    (p = last_cmpnt(local)) ? p : local);
            if(wantto(buf, 'n', 'n') != 'y'){
                fprintf(stderr, "Dump cancelled\n");
                exit(-1);
            }
        }
        else{
            fprintf(stderr, "Local file \"%s\" is not writable\n", local);
            exit(-1);
        }
    }

However it then engages in network operations to access remote files
on an IMAP server before eventually calling fopen(local, "w"). This
time-period presents an opportunity for an attacker to create a
symbolic link that points to an arbitary file owned by the user which
will then be overwritten.

Workaround 
===========

Ensure that any directory which is the local destination for rpdump is
only writeable by the user.