Bug 460628 (CVE-2008-4982)

Summary: CVE-2008-4982 rkhunter: Insecure auxiliary /tmp file usage (symlink attack possible)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: devrim, kevin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-06 17:29:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
proposed patch using mktemp none

Description Jan Lieskovsky 2008-08-29 08:26:59 UTC 
The rkhuner package, as shipped within the Fedora releases is prone
to the symlink attack.

Affected file: /usr/bin/rkhunter

Relevant part of the code:

   43 if [ "$1" = "--debug" ]; then
   44         if [ -e "/tmp/rkhunter-debug" ]; then
   45                 if [ -f "/tmp/rkhunter-debug" -a ! -h "/tmp/rkhunter-debug" ]; then
   46                         rm -f /tmp/rkhunter-debug >/dev/null 2>&1
   47                 else
   48                         echo "Cannot use '--debug' option. /tmp/rkhunter-debug already exists, but it is not a file."
   49                         exit 1
   50                 fi
   51         fi
   52 
   53         DEBUG_OPT=1
   54 
   55         exec 1>/tmp/rkhunter-debug 2>&1
   56         set -x

Description:

A malicious user could precreate a symbolic link pointing to the file
'/tmp/rkhunter-debug', then run the rkhunter command to destroy / truncate
the target of the symlink to zero size.

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496366

Affected versions:

This issue affects all versions of the rkhunter package, as shipped within
the Fedora releases of 8 and 9 and the versions of the rkhunter package,
as shipped within the Extra Packages for Enterprise Linux (EPEL) project.
Comment 1 Kevin Fenzi 2008-08-31 16:19:41 UTC 
The more real bug in debian seems to be: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496375
(the one you refer to is the mass bug filing against a bunch of packages tmp use). 

Debian seems to have fixed this by using mktemp for the debug file, but leaving it in /tmp/

Should we do likewise, or move the debug file to /var/run/ as well? 
Note that the current script does test the file for being a regular file, so the window for the attack is pretty small.
Comment 2 Kevin Fenzi 2008-08-31 16:25:20 UTC 
Created attachment 315445 [details]
proposed patch using mktemp

Here's a proposed patch using mktemp.
Comment 3 Fedora Update System 2008-09-15 22:16:38 UTC 
rkhunter-1.3.2-5.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/rkhunter-1.3.2-5.fc9
Comment 4 Fedora Update System 2008-09-15 22:20:58 UTC 
rkhunter-1.3.2-5.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/rkhunter-1.3.2-5.fc8
Comment 5 Fedora Update System 2008-09-25 00:21:38 UTC 
rkhunter-1.3.2-5.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-09-25 00:26:50 UTC 
rkhunter-1.3.2-5.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Tomas Hoger 2008-11-06 17:28:16 UTC 
CVE id CVE-2008-4982 was assigned to this flaw:

rkhunter in rkhunter 1.3.2 allows local users to overwrite arbitrary
files via a symlink attack on the /tmp/rkhunter-debug temporary file.
NOTE: this is probably a different vulnerability than CVE-2005-1270.
Comment 8 Tomas Hoger 2008-11-06 17:29:20 UTC 
Fixed in:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8364
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8314