SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Tripwire Vendors:   Tripwire
Tripwire File Security Software May Let Local Users Obtain Root Level Privileges on the System
SecurityTracker Alert ID:  1001952
SecurityTracker URL:  http://securitytracker.com/id/1001952
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 9 2001
Impact:   Modification of authentication information, Modification of system information, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Tripwire 2.2.1, tripwire 2.3.0 (and tripwire-ASR-1.3.1), possibly others
Description:   A vulnerability was reported in the Tripwire file integrity program that could allow local users to exploit a race condition and obtain root level privileges on the system.

It is reported that temporary files are insecurely created when scanning the filesystem and updating tripwire database. The files are reportedly opened or created in the /tmp directory using the mktemp() system call without the O_EXCL flag. As a result, it is possible for a local user to create a symbolic link in /tmp to another critical file and have tripwire overwrite the critical file using root level privileges.

The vulnerability reportedly exists in core/archive.cpp, core/unix/unixfsservices.cpp, and tw/textreportviewer.cpp.

Insecure files are reportedly created when executing the following commands:
tripwire --check
tripwire --update -r reportdir/reportfile
tripwire --check --email-report

It is futher reported that Tripwire-2.2.1 for Linux uses the process id (pid) of tripwire in creating the temporary file names, which facilitates exploitation.

Impact:   A local user can cause files on the system to be overwritten using root level privileges, allowing the local user to gain root level access on the system.
Solution:   No vendor solution (from Tripwire, the company) was available at the time of this entry. However, a fixed opensource of tripwire is available from:
http://sourceforge.net/projects/tripwire/

The fixed version reportedly uses a new TEMPDIRECTORY configuration option that allows tripwire to use a temporary directory that is only accessible to root.

The author of the report indicates that tripwire-2.3.1-2 (from sourceforge) still has one unsafe temporary file open function (see the Source Message for details on this and a possible workaround).

Vendor URL:  www.tripwire.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Mandrake Issues Fix) Re: Tripwire File Security Software May Let Local Users Obtain Root Level Privileges on the System
Mandrake has issued a fix.



 Source Message Contents

Subject:  Tripwire temporary files


      ------------------------------------------------------------
                  Insecure temporary files in Tripwire
                         Jarno.Huuskonen@uku.fi
                      $Date: 2001/07/09 05:02:02 $
      ------------------------------------------------------------

Author:
 Jarno Huuskonen <Jarno.Huuskonen@uku.fi>

Discovered:
 Tue 16 Jan 2001

Vendor status:
 Vendor contacted on Tue, 16 Jan 2001.
 Fixed version available from: http://sourceforge.net/projects/tripwire/

Platforms:
 Tripwire 2.2.1, tripwire 2.3.0 (and tripwire-ASR-1.3.1). I tested the
 vulnerability only on Linux, so I can't confirm if other platforms or
 versions are affected or not (but I believe that versions<2.4 are).

Severity:
 Possible local file overwrite (symlink attack). (For more information
 about race conditions see[1][2][3]).

Abstract:
 Tripwire opens/creates temporary files insecurely. Insecure temporary
 files are created at least when scanning the filesystem and updating
 tripwire database.

Details:
 Tripwire opens/creates temporary files in /tmp without O_EXCL flag.
 These temporary filenames are created with mktemp systemcall. This
 makes it possible for a local user to overwrite files with root (user
 running tripwire) permissions.

 I found out about the problem when I noticed a temporary file
 /tmp/twtempa19212 left in /tmp. Out of curiosity I ran the tripwire
 binary with strace and noticed that temporary files in /tmp are opened
 without the O_EXCL flag.

 After that I looked at the tripwire sources and confirmed the problem.
 (See e.g. core/archive.cpp, core/unix/unixfsservices.cpp and
 tw/textreportviewer.cpp).

 Insecure files are created at least when running:
  tripwire --check
  tripwire --update -r reportdir/reportfile
  tripwire --check --email-report

 Tripwire-2.2.1 for Linux (the binary version available from
 http://www.tripwire.com) seems to be the easiest to exploit because
 it is statically linked with mktemp that uses the PID of tripwire for
 creating the 'unique' filename. In all of my tests with this version
 the temporary filename was /tmp/twtempaPID.

Solution:
 Install fixed tripwire and use the new TEMPDIRECTORY configuration
 option so tripwire can use only root writable temporary directory
 (e.g. /root/tmp).

 Note: tripwire-2.3.1-2 (from sourceforge) still has one unsafe
 temporary file open (see tripwire-2.3.1-2/src/core/archive.cpp
 cLockedTemporaryFileArchive::OpenReadWrite).

Possible workaround:
 It appears possible to patch binary tripwire (2.2.1) to create
 temporary files in a directory other than /tmp. To do this edit the
 tripwire binaries: siggen, tripwire, twadmin and twprint, and replace
 the twtempXXXXXX strings with e.g. tw/tmpXXXXXX. Now tripwire creates
 temporary files in /tmp/tw directory (The /tmp/tw directory should be
 owned by root and writable only by root). Note: If you're going to edit
 the binaries do it at your own risk AND read the tripwire license
 before doing so! (and only if you can't get an updated tripwire).

Credits:
 I would like to thank Ron Forrester from Tripwire for handling my bug
 report.

References:
1.
 David A. Wheeler: Secure Programming for Linux and Unix HOWTO.
 http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html

2.
 Kris Kennaway's post to Bugtraq about temporary files.
 http://lwn.net/2000/1221/a/sec-tmp.php3

3.
 Creating Secure Software: 
 http://www.eforceglobal.com/pdf/whitepapers/SecureSoftware-01-10-01-FINAL.pdf

-- 
Jarno Huuskonen <Jarno.Huuskonen@uku.fi>

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC