xorl %eax, %eax

CVE-2009-1207: Solaris dircmp(1) Race Condition

leave a comment »

This issue was published on 30 March 2009 and affects Solaris 8, 9 and 10 for SPARC and x86 without 141014-01 and 141015-01 patches respectively and also OpenSolaris snv_01 through snv_111 based builds. Credits go to River Tarnell of the Wikimedia Foundation for reporting this bug. The vulnerable tool (dircmp) is a simple shell script which is used to compare two directories and it can be found under usr/src/cmd/dircmp/dircmp.sh. The vulnerability is this:

30 PATH=/usr/bin
31 USAGE="usage: dircmp [-d] [-s] [-wn] dir1 dir2"
32 trap "rm -f /usr/tmp/dc$$*;exit" 1 2 3 15


As you can see it uses ‘rm -f‘ to remove /usr/tmp/dc$$* file(s) which can lead to a TOCTOU condition. An attacker can create symbolic links in this directory in order to remove arbitrarily files of the system. In addition, the above script creates files using the same insecure way, for example:

53			  pr -h "diff of $a in $D1 and $D2" >> /usr/tmp/dc$$g
     ...
57			  pr -h "diff of $a in $D1 and $D2" >> /usr/tmp/dc$$g
     ...
61		   	  pr -h "diff of $a in $D1 and $D2" >> /usr/tmp/dc
     ...
90	($cmd "$D1"/"$a" "$D2"/"$a"; echo $? > /usr/tmp/dc$$status) | \
91	    pr -h "diff of $a in $D1 and $D2" >> /usr/tmp/dc$$g
92	if [[ `cat /usr/tmp/dc$$status` != 0 ]]
     ...
138 find . -print | sort > /usr/tmp/dc$$b
139 comm /usr/tmp/dc$$a /usr/tmp/dc$$b | sed -n \
140	-e "/^		/w /usr/tmp/dc$$c" \
141	-e "/^	[^	]/w /usr/tmp/dc$$d" \
142	-e "/^[^	]/w /usr/tmp/dc$$e"
143 rm -f /usr/tmp/dc$$a /usr/tmp/dc$$b
144 pr -w${width} -h "$D1 only and $D2 only" -m /usr/tmp/dc$$e /usr/tmp/dc$$d
145 rm -f /usr/tmp/dc$$e /usr/tmp/dc$$d
     ...
160 cat /usr/tmp/dc$$f | xargs ls -lLgnd | \
161  sed -e '/^[bc]/ s/, *//' -e '/^l/ s/ -> .*//' > /usr/tmp/dc$$i 2>/dev/null
     ...
237 rm -f /usr/tmp/dc$$* 
238 exit $exitstat

All these (and a few more) operations on insecure temporary file(s) can lead to straightforward exploitation using common symlink attacks. To patch these, the following patch was applied:

- trap "rm -f /usr/tmp/dc$$*;exit" 1 2 3 15
+ TEMPDIR=`mktemp -d /var/tmp/dir.XXXXXX`
+ if [ -z "$TEMPDIR" ]; then exit 1; fi 
+
+ trap "rm -f -r $TEMPDIR;exit" 0 1 2 3 15


Now, the temporary file is created using mktemp(1) and this is stored at the local variable named TEMPDIR. All of the above insecure instances of the temporary file where replaced with TEMPDIR variable.

Written by xorl

April 21, 2009 at 13:09

Posted in bugs, solaris

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s