Symlink attack

Dpk dpk@egr.msu.edu
Thu, 2 Mar 2000 10:41:51 -0500

Previous message: Symlink attack
Next message: Symlink attack
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 02, 2000 at 10:18:59AM -0500, Alan Garrison wrote:

   Could someone explain in 5-10 sentences what exactly a symlink
   attack is?  Is it just a permissions thing, or is it more
   complicated?

Many programs create files in /tmp when they start, or while they are
running.  Since /tmp can be written to by any user, programs need to
make sure the file they create is not a symlink or world writable.
This is especially critical when the program runs as root.

Example: Program "a" creates /tmp/a.log at startup.  

         A user creates a symlink before the program starts, or writes
         a.log: /tmp/a.log -> /etc/passwd

         The /etc/passwd file is whiped and now contains logging
         information for program "a".

This is even worse when the files are created world-writable, because
then a user could write to the password file!  A common,
poor-programming hack is to create semi-random file names, like
a-3675.log (using the pid), but then all one needs to do is write a
script to generate a 1000 links starting at the current process id,
etc.

This should get you started... www.securityfocus.com will have
archives of /tmp symlink attack discussions.

Dennis Kelly                    email: dpk@egr.msu.edu
Network Administrator           phone: 353-4844
College of Engineering          pager: 232-8117
Michigan State University

Previous message: Symlink attack
Next message: Symlink attack
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]