initscripts: bootclean.sh: /tmp/.clean vulnerable to symlink attack

Automatically imported from Debian bug report #264234 http://bugs.debian.org/264234

Message-Id: <email address hidden>
Date: Sat, 07 Aug 2004 14:38:06 -0400
From: Zygo Blaxell <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: initscripts: bootclean.sh file creation vulnerability

Package: initscripts
Version: 2.86-1
Severity: normal

While rejecting modifications to bootclean.sh today, I noticed a line
that read:

 :>> /tmp/.clean

This suggests at least a file creation security vulnerability exploitable
as follows:

 zblaxell@dio:~$ ls -l /tmp/.clean
 ls: /tmp/.clean: No such file or directory
 zblaxell@dio:~$ ln -s /FOO /tmp/.clean
 zblaxell@dio:~$ reboot -ndf

...one reboot later...

 zblaxell@dio:~$ ls -l /FOO
 -rw-r--r-- 1 root root 0 Aug 7 13:56 /FOO

The ability to create root-owned empty files with arbitrary names can
probably be used to at least create inconvenience, if not wreak more
interesting security-related havoc.

-- System Information:
Debian Release: 3.0
  APT prefers testing
  APT policy: (102, 'testing'), (101, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-zb-k7-smp
Locale: LANG=C, LC_CTYPE=C

Versions of packages initscripts depends on:
ii coreutils 5.2.1-2 The GNU core utilities
ii dpkg 1.10.23 Package maintenance system for Deb
ii e2fsprogs 1.35-6 The EXT2 file system utilities and
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
ii mount 2.11n-7 Tools for mounting and manipulatin
ii util-linux 2.11n-7 Miscellaneous system utilities.

-- no debconf information

Message-ID: <email address hidden>
Date: Sun, 8 Aug 2004 13:10:39 +0200
From: Miquel van Smoorenburg <email address hidden>
To: Zygo Blaxell <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#264234: initscripts: bootclean.sh file creation vulnerability

On Sat, 07 Aug 2004 20:38:06, Zygo Blaxell wrote:
> Package: initscripts
> Version: 2.86-1
> Severity: normal
>
> While rejecting modifications to bootclean.sh today, I noticed a line
> that read:
>
> :>> /tmp/.clean
>
> This suggests at least a file creation security vulnerability exploitable
> as follows:

Well, it would indeed be a good idea to remove /tmp/.clean early in
the boot process to prevent this. However on a standard system this
cannot happen.

At shutdown time, /etc/init.d/umountnfs.sh (which is really badly
named, I admit) removes /tmp/.clean, so that should be sufficient.

Unless an attacker creates a symlink in /tmp/.clean and finds
a way to hard-reboot the kernel (using say a kernel vulnerability
like 2.4.25 had).

Severity can stay at "normal" for now, I guess.

Mike.

Message-ID: <email address hidden>
Date: Thu, 12 Aug 2004 10:56:36 -0400
From: Zygo Blaxell <email address hidden>
To: Miquel van Smoorenburg <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#264234: initscripts: bootclean.sh file creation vulnerability

--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Aug 08, 2004 at 01:10:39PM +0200, Miquel van Smoorenburg wrote:
> Well, it would indeed be a good idea to remove /tmp/.clean early in
> the boot process to prevent this.=20

Actually in this particular case it will be sufficient to remove .clean
immediately before touching it:

 rm -rf /tmp/.clean
 :>> /tmp/.clean

The assumption that makes this safe is that evil user processes (e.g.
cron jobs, user logins, email delivers, etc) have not had a chance to
start running yet, so they can't reinsert the symlink between those
two lines.

> However on a standard system this
> cannot happen.
>=20
> At shutdown time, /etc/init.d/umountnfs.sh (which is really badly
> named, I admit) removes /tmp/.clean, so that should be sufficient.

Assuming the machine goes down cleanly, of course. Most of my system
reboots these days are due to power failures or poor resource planning
("Hmmm, I guess I can't run 50 instances of spamassassin on that machine
after all, it runs out of RAM and the watchdog kills it").

--huq684BweRXVnRxX
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBG4UkgfmLGlazG5wRAuSsAKCF7Zu2re3PoQknt5E1dZDo1dk0JQCeN1FC
gPFlmjlgiofG9WaIqbS6LbI=
=CXnz
-----END PGP SIGNATURE-----

--huq684BweRXVnRxX--

Message-Id: <email address hidden>
Date: Tue, 17 Aug 2004 21:34:52 +0200
From: Thomas Hood <email address hidden>
To: <email address hidden>
Subject: Fix for sarge?

This poses a security risk and there is a straightforward fix.
Fix for sarge?
--
Thomas

Message-Id: <20040817194300.B2B3310D6D2@localhost>
Date: Tue, 17 Aug 2004 21:43:00 +0200
From: Thomas Hood <email address hidden>
To: <email address hidden>
Subject: retitle 264234 to initscripts: bootclean.sh: /tmp/.clean vulnerable to symlink attack,
 tagging 264234

# Automatically generated email from bts, devscripts version 2.8.1
retitle 264234 initscripts: bootclean.sh: /tmp/.clean vulnerable to symlink attack
tags 264234 security

Message-ID: <email address hidden>
Date: Tue, 17 Aug 2004 22:21:44 +0200
From: Miquel van Smoorenburg <email address hidden>
To: Thomas Hood <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#264234: Fix for sarge?

On Tue, 17 Aug 2004 21:34:52, Thomas Hood wrote:
> This poses a security risk and there is a straightforward fix.
> Fix for sarge?

Probably should upload to proposed-updates, yes. Increase
the severity of the bug first ?

Mike.

Message-Id: <email address hidden>
Date: Wed, 18 Aug 2004 10:28:42 +0200
From: Thomas Hood <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#264234: Fix for sarge?

severity 264234 serious
thanks

On Tue, 2004-08-17 at 22:21, Miquel van Smoorenburg wrote:
> Probably should upload to proposed-updates, yes. Increase
> the severity of the bug first ?

Done with this message
--
Thomas

Should be trivially fixable with set noclobber or similar; Martin, can you take
care of this?

Message-ID: <email address hidden>
Date: Fri, 27 Aug 2004 11:46:51 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Proposed patch

--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tags 264234 patch
thanks

Hi Miquel!

Deleting */.clean before creating it is a good idea to overcome
symlink attacks. To be absolutely sure that the attacker cannot insert
a command in between, the creation command should be executed in a
noclobber environment.

I prepared a patch directly against /etc/init.d/bootclean.sh, which
closes this security hole and works very well. You can find it on

http://fixthathole.no-name-yet.com/patches/sysvinit.264234.diff

What do you think?

Thanks and have a nice day!

Martin

--=20
Martin Pitt Debian GNU/Linux Developer
<email address hidden> <email address hidden>
http://www.piware.de http://www.debian.org

--mYCpIKhGyMATD0i+
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBLwMKDecnbV4Fd/IRAlt/AJ9v7c3U2lbm4HJKL/G0oEkLye2MPQCffeRN
76mTgPT0rAQC76jASB17imA=
=RaSA
-----END PGP SIGNATURE-----

--mYCpIKhGyMATD0i+--

fixed in sysvinit_2.85-22ubuntu4

Message-Id: <20040908142319.9A1EC10D6C5@localhost>
Date: Wed, 8 Sep 2004 16:23:19 +0200
From: Thomas Hood <email address hidden>
To: <email address hidden>
Subject: tagging 264235, tagging 264234

# Automatically generated email from bts, devscripts version 2.8.4
tags 264235 - sarge
tags 264234 sarge

Message-Id: <email address hidden>
Date: Wed, 08 Sep 2004 16:17:13 -0400
From: Miquel van Smoorenburg <email address hidden>
To: <email address hidden>
Subject: Bug#264234: fixed in sysvinit 2.86-2

Source: sysvinit
Source-Version: 2.86-2

We believe that the bug you reported is fixed in the latest version of
sysvinit, which is due to be installed in the Debian FTP archive:

initscripts_2.86-2_i386.deb
  to pool/main/s/sysvinit/initscripts_2.86-2_i386.deb
sysv-rc_2.86-2_all.deb
  to pool/main/s/sysvinit/sysv-rc_2.86-2_all.deb
sysvinit_2.86-2.diff.gz
  to pool/main/s/sysvinit/sysvinit_2.86-2.diff.gz
sysvinit_2.86-2.dsc
  to pool/main/s/sysvinit/sysvinit_2.86-2.dsc
sysvinit_2.86-2_i386.deb
  to pool/main/s/sysvinit/sysvinit_2.86-2_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miquel van Smoorenburg <email address hidden> (supplier of updated sysvinit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.7
Date: Mon, 6 Sep 2004 19:02:19 +0200
Source: sysvinit
Binary: sysv-rc sysvinit initscripts
Architecture: source i386 all
Version: 2.86-2
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Miquel van Smoorenburg <email address hidden>
Changed-By: Miquel van Smoorenburg <email address hidden>
Description:
 initscripts - Standard scripts needed for booting and shutting down
 sysv-rc - Standard boot mechanism using symlinks in /etc/rc?.d
 sysvinit - System-V like init
Closes: 264234 264894
Changes:
 sysvinit (2.86-2) testing-proposed-updates; urgency=high
 .
   * Remove .clean file before touching it; prevents symlink attack
     which in rare circumstances could result in random file creation
     (closes: #264234)
   * Do the above in a noclobber environment (Martin Pitt).
   * Don't mount network filesystems multiple times (closes: #264894)
Files:
 8ab97fc5148e8b895af4007fde9fd71f 643 base required sysvinit_2.86-2.dsc
 90207f8bbff5a74bb58568d4c9e46d02 59187 base required sysvinit_2.86-2.diff.gz
 5e5c7df26bd1dd8a0421c5a2af6d2468 96898 base required sysvinit_2.86-2_i386.deb
 060405f3f92a8ea5d97afd25716a14c2 30130 base required initscripts_2.86-2_i386.deb
 7da3a420806342dadc133eba150b1c02 34894 base required sysv-rc_2.86-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQB1AwUBQT8CB1iLscT2F1RZAQH1HwL/f2uM8LnvNvM2V+Lh/4Ihdo6FlBmpbO4e
264NV7m5HHIV5k4byBNvcabZ+dq8R3eqEX91FJMjfWpat4WG1//gdO4cbw7M5ftc
5skn4cZ6nILV+MBzLV3aVWFsmaXY9M38
=W0/V
-----END PGP SIGNATURE-----