Bug#287601: vdradmin: Vdradmin.pl script vulnerable to symlink attacks

Javier Fernández-Sanguino Peña pkg-vdr-dvb-devel@lists.alioth.debian.org
Wed, 29 Dec 2004 00:41:15 +0100 

--0ntfKIWw70PvrIHh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: vdradmin
Version: 0.96-2
Priority: critical
Tags: security sarge sid

[Note to security team: since this program has not been released I don't=20
believe a DSA should be necesary, but this bug should be tracked for the=20
next release]

The vdradmin.pl script does not protect itself from temporary file attacks
since it creates several temporary files in an insecure manner
(/tmp/vdradmin+time, /tmp/vdr.jpg). The script does not check if the
temporary files tries to use already exist before using them. The attached=
=20
patch (untested) tries to fix this issue.

Actually, the script will only try to create the first one itself. The=20
other is passed as a command to the vdr program:

        SendCMD("grab $file jpeg 40 $width $height");

I've checked the vdr sources and the cDvbDevice::GrabImage implementation
(see vdr-1.2.6/dvbdevice.c) will just open the file without any further=20
checks:

           isyslog("grabbing to %s (%s %d %d %d)", FileName, Jpeg ? "JPEG" =
: "PNM", Quality, vm.width, vm.height);
           FILE *f =3D fopen(FileName, "wb");

As a consequence, any local user in a system where vdradmin is used can=20
force a symlink attack by symlinking /tmp/vdr.jpg to files that the daemon=
=20
vdr can write to. Since the vdr program seems to run in Debian's default=20
configuration with root privileges IMHO this is a serious hole.

I believe that the vdr sources should be reviewed to make sure that an vdr
daemon running as root cannot compromise the whole system (there are no
checks for symlink attacks in the fopen calls). It should be worthwhile
trying to make the daemon work as a non-root user. I will file this as a=20
separate bug referencing this one, however.

Regards

Javier



--0ntfKIWw70PvrIHh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB0e8bi4sehJTrj0oRAgM0AJ4tDNCXlaI4uKxbz6MyBZuDh9nunACeILCz
jyKS44o5VCY3hdU8n+++1BI=
=Tn5X
-----END PGP SIGNATURE-----

--0ntfKIWw70PvrIHh--