rpdump TOCTOU file-permissions vulnerability
================================
rpdump TOCTOU file-permissions vulnerability
================================
Software: rpdump (part of the Pine mail package)
Version: Pine 4.62
Software URL: <http://www.washington.edu/pine/>
Platform: Unix, Linux.
Vulnerability type: Time-of-Check-Time-Of-Use
Severity: Low
Attacker requires: local user account, write access to directory
rpdump used in (directories with sticky bits such as /tmp are
vulnerable).
Attack result: over-writing of arbitary file belonging to user
Vulnerable software
====================
rpdump included with Pine 4.62 and previous versions running on unix.
Vulnerability
==============
rpdump checks the local file it is creating doesn't already exist
using the following code in rcdump.c:
if(access(local, ACCESS_EXISTS) == 0){
if(access(local, WRITE_ACCESS) == 0){
sprintf(buf, "Local file \"%.20s\" exists, overwrite it",
(p = last_cmpnt(local)) ? p : local);
if(wantto(buf, 'n', 'n') != 'y'){
fprintf(stderr, "Dump cancelled\n");
exit(-1);
}
}
else{
fprintf(stderr, "Local file \"%s\" is not writable\n", local);
exit(-1);
}
}
However it then engages in network operations to access remote files
on an IMAP server before eventually calling fopen(local, "w"). This
time-period presents an opportunity for an attacker to create a
symbolic link that points to an arbitary file owned by the user which
will then be overwritten.
Workaround
===========
Ensure that any directory which is the local destination for rpdump is
only writeable by the user.