Symlink attack
Dpk
dpk@egr.msu.edu
Thu, 2 Mar 2000 10:41:51 -0500
On Thu, Mar 02, 2000 at 10:18:59AM -0500, Alan Garrison wrote:
Could someone explain in 5-10 sentences what exactly a symlink
attack is? Is it just a permissions thing, or is it more
complicated?
Many programs create files in /tmp when they start, or while they are
running. Since /tmp can be written to by any user, programs need to
make sure the file they create is not a symlink or world writable.
This is especially critical when the program runs as root.
Example: Program "a" creates /tmp/a.log at startup.
A user creates a symlink before the program starts, or writes
a.log: /tmp/a.log -> /etc/passwd
The /etc/passwd file is whiped and now contains logging
information for program "a".
This is even worse when the files are created world-writable, because
then a user could write to the password file! A common,
poor-programming hack is to create semi-random file names, like
a-3675.log (using the pid), but then all one needs to do is write a
script to generate a 1000 links starting at the current process id,
etc.
This should get you started... www.securityfocus.com will have
archives of /tmp symlink attack discussions.
Dennis Kelly email: dpk@egr.msu.edu
Network Administrator phone: 353-4844
College of Engineering pager: 232-8117
Michigan State University