rpdump TOCTOU file-permissions vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: rpdump TOCTOU file-permissions vulnerability
From: Imran Ghory <imranghory@xxxxxxxxx>
Date: Sun, 10 Apr 2005 03:09:52 +0100
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=ojbv/fPDbS0HPE1m5kho7iYeRmFoksCDqdI+qkpKxm5Ied8gT0HlZtlxGQNkdKFG8R421t8ZFAF2dlfzENDCIUEcVKsSyv8eWD3kIlF3OPYczGu5nv3XqiRa3TEs17qpZeNIsZfBZ2dbqhYAnQmwVQRBBRpRRxunynrI1yGDy5k=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: Imran Ghory <imranghory@xxxxxxxxx>

================================
rpdump TOCTOU file-permissions vulnerability
================================

Software: rpdump (part of the Pine mail package)
Version: Pine 4.62
Software URL: <http://www.washington.edu/pine/>
Platform:  Unix, Linux.
Vulnerability type: Time-of-Check-Time-Of-Use
Severity: Low
Attacker requires: local user account, write access to directory
rpdump used in (directories with sticky bits such as /tmp are
vulnerable).
Attack result: over-writing of arbitary file belonging to user

Vulnerable software
====================

rpdump included with Pine 4.62 and previous versions running on unix.

Vulnerability
==============

rpdump checks the local file it is creating doesn't already exist
using the following code in rcdump.c:

    if(access(local, ACCESS_EXISTS) == 0){
        if(access(local, WRITE_ACCESS) == 0){

            sprintf(buf, "Local file \"%.20s\" exists, overwrite it",
                    (p = last_cmpnt(local)) ? p : local);
            if(wantto(buf, 'n', 'n') != 'y'){
                fprintf(stderr, "Dump cancelled\n");
                exit(-1);
            }
        }
        else{
            fprintf(stderr, "Local file \"%s\" is not writable\n", local);
            exit(-1);
        }
    }

However it then engages in network operations to access remote files
on an IMAP server before eventually calling fopen(local, "w"). This
time-period presents an opportunity for an attacker to create a
symbolic link that points to an arbitary file owned by the user which
will then be overwritten.

Workaround 
===========

Ensure that any directory which is the local destination for rpdump is
only writeable by the user.

Prev by Date: AzDGDatingPlatinum multiple vulnerabilities
Next by Date: rsnapshot Security Advisory 001
Previous by thread: AzDGDatingPlatinum multiple vulnerabilities
Next by thread: rsnapshot Security Advisory 001
Index(es):
- Date
- Thread