Second-Order Symlink Vulnerabilities
[resubmitted to Bugtraq from a valid subscriber address]
Introduction
------------
Recently, Eric Romang of ZATAZ Audits reported several symlink issues
that are different than the usual symlink vulnerabilities [1] [2].
There are probably a large number of applications that are safe with
respect to traditional symlink problems, but vulnerable to this
particular variant.
Specifically, the problem arises when one program, "PARENT," invokes
another program, "CHILD," in which:
- the CHILD has a "standalone" design, i.e. its normal mode of
operation is to be run by an interactive user, or a script on
behalf of the user.
- the CHILD does not run with more privileges than the user that
invokes it, e.g. it is not setuid.
- the CHILD program assumes that the user calling the program has
control over all files that are specified as arguments, i.e. the
specified filenames are trusted.
- the CHILD program follows symlinks.
- the PARENT uses filenames that are passed as arguments to the
CHILD.
- the filenames as used by the PARENT are:
- controllable, or predictable, by the attacker, and
- in a directory that's writable by the attacker;
The attacker could then use a symlink attack on the filename arguments
that the PARENT passes to the CHILD.
This variant might be referred to as a "Second Order Symlink
Vulnerability," with apologies to NGS Software [3] for my slightly
different usage of the "second order" term.
Discussion
----------
Note that the four conditions for the CHILD, if treated alone, are not
normally regarded as a security vulnerability: there aren't any
privilege boundaries being crossed, and the filenames are under the
control of the user.
It's the interaction between the PARENT and the CHILD that becomes the
problem. There is a strong argument that it is the PARENT's
responsibility to protect against the second-order symlink
vulnerability, since "fixing" the child could significantly reduce
functionality in common standalone uses. However, there may be some
cases in which the PARENT does not have intrinsic knowledge of which
CHILD will be invoked at runtime.
Note that from the CHILD's perspective, the attack vectors do NOT
involve temporary files.
Current code scanning tools may not locate second-order symlink
vulnerabilities when scanning the PARENT, because the affected
fopen/create/etc. function call may not be in the PARENT at all, but
in the CHILD.
Examples
--------
Romang's reports for everybuddy and LutelWall both deal with the case
in which wget is the CHILD, and the PARENT specifies an output file to
wget using the "-O" argument.
It must be emphasized that the vulnerability is NOT in wget; as
previously discussed, it is in the interaction between wget and the
process that invokes it.
For LutelWall, we have:
echo `wget -C off -O $tmp-newfeat -q -t 1 -T 3 -w 3
http://firewall.lutel.pl/FEATURES-${new_ver}`
For everybuddy, we have:
258 g_snprintf(buf, 2048, "rm /tmp/.eb.%s.translator -f ; wget -O \
/tmp/.eb.%s.translator \
'http://world.altavista.com/sites/gben/pos/babelfish/tr?tt=urltext&lp=%s_%s&urltext=%s'",
259 getenv("USER"), getenv("USER"), from, to, string);
...
...
263 if(system(buf)!=0)
References
----------
[1] "everybuddy <= 0.4.3 insecure temporary file creation"
Bugtraq mailing list, June 6, 2005
http://marc.theaimsgroup.com/?l=bugtraq&m=111809118405393&w=2
http://www.zataz.net/adviso/everybuddy-06062005.txt
[2] "LutelWall <= 0.97 insecure temporary file creation"
Full-Disclosure mailing list, June 6, 2005
http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034424.html
http://www.zataz.net/adviso/lutelwall-05222005.txt
[3] "Second Order Code Injection Attacks"
NGS Software
http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf