Date: Tue, 29 Feb 2000 17:39:25 +0100
From: Morten Welinder <[email protected]>
To: [email protected]Subject: xterm log file vulnerability
It used to be Well Known that xterm's way of opening a log file
was insecure. Well, that was 5+ years ago so I decided to take
a look at the current state of affairs. Things have changed,
but mostly to "different" rather than "better".
Problem: when log files are enabled, they are created in the
following way (checking in XFree86 3.3.6 source; matches Solaris
binaries) and are subject to race conditions:
1. File is checked for existance using access.
2. If file does not exist, it is created in a subprocess using user's
real uid/gid. [ok]
3. File is checked for existance using access.
4. File is checked for write permission using access.
5. File is opened O_WRONLY | O_APPEND. [plonk]
A little symlink magic between 4 and 5 and you have write access to
any file if your xterm is setuid/setgid.
General attack idea:
ls -lL `which xterm`
# If not setuid/setgid, you are safe
touch dummy
symlink-flipflop link dummy /.rhosts
xterm -l -lf link -e echo + +
Moral: access() is totally useless for security purposes. Use it
only as a means of providing better error messages (as it might not
be easy to get an error message out from a subprocess).
Morten
