Bug 63303

Summary: uudecode insecure output file handling can cause race condition and lead to local root exploit
Product: [Retired] Red Hat Linux Reporter: Peter Bieringer <pb>
Component: sharutilsAssignee: Than Ngo <than>
Status: CLOSED RAWHIDE QA Contact: Aaron Brown <abrown>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-04-12 12:03:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Bieringer 2002-04-12 06:12:44 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.78 [en] (X11; U; Linux 2.4.17-0.18 i686)

Description of problem:
uudecode don't check, whether output filename already exists, even check not for
symlink (tested, exploitable) and not for named pipe (on the way to test)

Version-Release number of selected component (if applicable):
$ uudecode -v
uudecode - GNU sharutils 4.2.1

How reproducible:
Always

Steps to Reproduce:
User/1: Know a filename which will created by uudecode running by root in
usecure temp directories

User/2: Prepare
$ touch /home/test/wait-for-file
$ ln -s /home/test/wait-for-file /tmp/uudecode-racecondition.sh
$ stat /home/test/wait-for-file
  File: "/home/test/wait-for-file"
  Size: 0               Blocks: 0          IO Block: 8192   Regular File
Device: ch/12d  Inode: 68858       Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1001/   test)   Gid: (  100/   users)

Root/1: Got a uuencoded file, e.g.
begin 644 /tmp/uudecode-racecondition.sh
7(R$O8FEN+W-H"F5C:&\@(DAE;&QO(@H`
`
end
[contains echo "Hello"]

Root/2: Decode file
# uudecode uudecode-racecondition.uue


User/3: See expected result
$ stat /home/test/wait-for-file
  File: "/home/test/wait-for-file"
  Size: 23              Blocks: 2          IO Block: 8192   Regular File
Device: ch/12d  Inode: 68858       Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1001/   test)   Gid: (  100/   users)

$ head /home/test/wait-for-file
#!/bin/sh
echo "Hello"

See permissions: 644, owner is user!

Actual Results:  Native file is created in wrong directory with wrong
permissions

Expected Results:  uudecode checks output filename before writing any data for
being neither a symlink nor a named pipe

Additional info:

Generic (not only RHL) bugtraq posting is on the way to be written

Problem detected during looking into a installer shell program of a commercial
Linux software, which uses unsecure hardcoded uudecode filenames like
"/var/tmp/...."
Comment 1 Peter Bieringer 2002-04-12 12:03:39 UTC 
See here for more: http://www.aerasec.de/security/index.html?id=ae-200204-033&lang=en
Perl pipe "exploit" works, is available
Comment 2 Ngo Than 2002-04-14 16:53:58 UTC 
It's fixed in sharutils-4.2.1-9
Comment 3 Peter Bieringer 2002-07-05 09:57:41 UTC 
Should we also think about protection for char and block devices and Unix domain sockets?