Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh/files module and insecure tempfile creation

X-seq: zsh-workers 34248
From: Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
To: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
Subject: Re: zsh/files module and insecure tempfile creation
Date: Mon, 12 Jan 2015 05:43:44 +0000
Cc: zsh-workers@xxxxxxx
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= daniel.shahaf.name; h=x-sasl-enc:date:from:to:cc:subject :message-id:references:mime-version:content-type :content-transfer-encoding:in-reply-to; s=mesmtp; bh=eGgqZW6yQwk mF2Lx2j7fJt1ZGx8=; b=jtXDKxVHcH1PksmHfW2Z/9i39u62ArJbsn9MQ0+BcWu LF77PlsOccNeQEYEIKRq3fc1J9NcX8F0D+OZe26tZ+Gaub3iFKfkBgbRHryQ48bW xNz+YivTxuF9Q+PJRZse2fui02tPnwB/GQkMUfPS4WIs89uI9E8Ecfwq9JoR7fRM =
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=x-sasl-enc:date:from:to:cc:subject :message-id:references:mime-version:content-type :content-transfer-encoding:in-reply-to; s=smtpout; bh=eGgqZW6yQw kmF2Lx2j7fJt1ZGx8=; b=TPiOby5EcugsP6HMekaYLp0B4DnMsO0BcB6+qMcjpR avCXDWuT8qwq8VN3xsP43K7b9qvyCeqkEVGsFga+UkFlUT3iphfTWCvPggV2YwgN LT1Y54MhQZlPkf3UHrYSBSzcZ5yp62PEI5VBbJL8M5nzLzbjjoMCSmuuyIdS86dH 8=
In-reply-to: <150109223150.ZM24107@torch.brasslantern.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <150109223150.ZM24107@torch.brasslantern.com>

Bart Schaefer wrote on Fri, Jan 09, 2015 at 22:31:50 -0800:
> I'm trying to work through the "attack vector" for the mv -f trick.
> The situation is that a script wants to create a plain empty file
> with a known name, let's say "/tmp/zsh12345".
> 
> If the attacker creates his own plain file named /tmp/zsh12345 then the
> "mv -f" will clobber it, so that's not at issue.  Therefore an attack
> is possible if the attacker can create a directory (or symlink to a
> directory) named /tmp/zsh12345 and writable by the zsh process,
> because then mv will put the empty plain file inside that directory.
> 
> Next the attacker must be able to swap the directory or symlink with
> a symlink to his own target file.  Presumably if he could create it
> in the first place, he can swap it.  So we do have an attack that can
> clobber any file writable by the zsh user.  Anybody disagree?

On FreeBSD systems, 'cat /path/to/dir' works (prints something and
returns 0).  Therefore, even if the (symlink-to-)dir is not replaced by
a file, unexpected effects might be caused when some code attempts to
cat the tempfile (which is in fact a directory) — whether in order to
run it as shell commands or in order to use it as data.

Sorry, but I haven't audited the patch to see what exactly this could
cause in each instance.  (No time.)

Daniel

Follow-Ups:
- Re: zsh/files module and insecure tempfile creation
  - From: Bart Schaefer

References:
- zsh/files module and insecure tempfile creation
  - From: Bart Schaefer

Messages sorted by: Reverse Date, Date, Thread, Author