Midnight Commander /tmp race
X-RDate: Tue, 17 Mar 1998 16:41:44 +0500 (ESK)
Date: Sun, 15 Mar 1998 16:33:47 +0100
From: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
To: BUGTRAQ@NETSPACE.ORG
Subject: Midnight Commander /tmp race
Midnight Commander (I have version 4.1.8, RedHat 5.0) is launched using
the following shell macro:
mc=()
{
MC=/tmp/mc$$-"$RANDOM";
/usr/bin/mc -P "$@" >"$MC";
cd "`cat $MC`";
rm "$MC";
unset MC
}
Well, unfortunately it isn't secure. $$ is replaced with shell pid (not mc
pid!!!) - usually it's user's login shell pid, and may be obtained with
'ps au|grep "\-bash"'. $RANDOM, as everyone knows, generates pseudo-random
integer from range 0..32767. Well, 'random' number isn't very random,
but even without mathematical tricks we can guess it - when we create
eg. 1000 [sym]links (a few seconds), our chances are about 1/33, and
probably target file will be sooner or later overwritten with mc's last
working directory. With 10000 files (it will take maybe a half minute) -
our chances incerases to about 1/3, but it needs more disk activity and
may be detected...
Solution? Use mktemp: MC=`mktemp mc$$-XXXXXX` instead of $RANDOM :)))
_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=