6566892 2001-05-31 13:15 +0300 /94 rader/ Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-31 16:52 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17221>
Ärende: Imp-2.2.4 temporary files
------------------------------------------------------------
From: Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
To: bugtraq@securityfocus.com
Message-ID: <20010531131526.A57350@messi.uku.fi>
------------------------------------------------------------
Imp-2.2.4 creates insecure temporary files.
Jarno.Huuskonen@uku.fi
Thu May 31 2001
------------------------------------------------------------
Author:
Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
Discovered:
Wed 16 May 2001
Horde project 'dev' mailing list contacted on Fri 18 May 2001[1].
Imp-2.2.5 is available from http://www.horde.org/imp/
Platforms:
Only tested imp-2.2.4 on Linux and AIX (with php-4.0.5/php-3.0.18)
but AFAIK all platforms are affected.
Severity:
Possible local file overwrite (symlink attack). (For more information
about race conditions see[2]).
Abstract:
Imp-webmail uses predictable temporary filenames when handling
uploaded attachments or when 'viewing' attachments.
Details:
Uploaded attachments:
When a user composes a new email all the attachments are uploaded to
the webmail server. First PHP handles the file upload and creates a
temporary file (the file is created in php.ini 'upload_tmp_dir' or
/tmp). The temporary filename is something like /tmp/phpXXXXXX
(where X's are 'random'). After this imp's compose.php3 copies this
temporary file for safekeeping.
The destination filename imp uses is /tmp/phpXXXXXX.att, but imp fails
to check if the destination exists (and the destination file is opened
without the O_EXCL flag). So the attacker can watch /tmp (or
upload_tmp_dir) for phpXXXXXX files and then quickly create a symlink:
'ln -s /tmp/phpXXXXXX.att /to/webserver_writable_file'
Attachment viewers:
Imp can use external viewers for viewing email attachments like
zip-files. Before calling these viewers imp (imp/lib/mimetypes.lib)
saves the attachment into a temporary file. These filenames are
something like: /tmp/imp.'.date('Y-M-D_H:i:s').'__'.md5($contents).
So the filename is quite easy to guess and the file is opened
without O_EXCL (so creating a bunch of /tmp/imp.... symlinks is also
possible) (Note: Jon Parise has discovered this earlier[3]).
Solution:
Upgrade to imp-2.2.5 and use the 'upload_tmp_dir' directive (php.ini)
to define a directory where uploaded files should go (see
imp/docs/SECURITY for more information).
Note: Imp-2.2.5 uses the PHP tempnam function for creating temporary
files. With PHP versions earlier than 4.0.3? the tempnam function
doesn't use mkstemp (so it has a race condition) so upgrading to
PHP-4.0.5 or patching PHP-3.0.18 to use mkstemp is advisable[4].
Credits:
I would like to thank the horde team for creating a great webmail
interface.
References:
1.
dev@horde.org discussion about imp tempfile problems.
http://marc.theaimsgroup.com/?t=99018545400001&w=2&r=1
2.
David A. Wheeler: Secure Programming for Linux and Unix HOWTO.
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html
3.
Patch for the imp/lib/mimetypes.lib temp file problem.
http://marc.theaimsgroup.com/?l=horde-dev&m=97528008715710&w=2
4.
PHP tempnam function.
http://marc.theaimsgroup.com/?l=php-dev&m=97972576709196&w=2
http://marc.theaimsgroup.com/?t=94184107200002&w=2&r=1
http://marc.theaimsgroup.com/?t=96811361900003&w=2&r=1
http://marc.theaimsgroup.com/?t=96683455000001&w=2&r=1
-Jarno
--
Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
(6566892) /Jarno Huuskonen <Jarno.Huuskonen@uku.fi>/