|
Message-ID: <2ECE9D9EEF1F524185270138AE23265955B0BACD@S0MSMAIL112.arc.local>
Date: Fri, 3 Nov 2017 12:25:12 +0000
From: Fiedler Roman <Roman.Fiedler@....ac.at>
To: "'oss-security@...ts.openwall.com'" <oss-security@...ts.openwall.com>
Subject: Re: Security risk of server side text editing in
general and vim.tiny specifically
> From: Jakub Wilk [mailto:jwilk@...lk.net]
>
> * Fiedler Roman <Roman.Fiedler@....ac.at>, 2017-11-03, 11:07:
> >POC for vim.tiny on Ubuntu Xenial to overwrite arbitrary files as user
> >root when editing file in directory owned by other user is available on
> >request, disclosure after one week or if list discussion indicates
> >other timing.
>
> By default[1], when vim wants to overwrite the file "foo", it does:
>
> rename("foo", "foo~") = 0
> open("foo", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0600) = 3
>
> There's a race window between the two syscalls when the attacker could
> re-create "foo", and then vim would happily write to it.
>
> Is this the attack you meant?
This is one of the attack points, but there are multiple sequences of
problematic syscalls, especially when running vim.tiny as root, also
getxattr("x.txt", "system.posix_acl_access", ... -> get attrs of arbitrary
file via symlink
setxattr("x.txt", "system.posix_acl_access", ... -> set those attrs on
arbitrary file
chmod("x.txt", 0100644) = 0 -> set mode of previous x.txt on
arbitrary file
...
As previously stated, this indicates, that the
"root-edits-file-of-non-root-user" use case was not considered. But is that a
problem?
Put it another way: when a doctor cuts himself with his scalpel, is it the
doctor's or the scalpel's fault?
LG Roman
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4814 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.