Bug 782619
| Summary: | xrdp: predictable temporary files may lead to arbitrary file overwrite | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | itamar, jrusnack, pj.pandit |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-06-10 21:43:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 782620, 782621 | ||
| Bug Blocks: | |||
Created xrdp tracking bugs for this issue Affects: fedora-all [bug 782620] Affects: epel-all [bug 782621] The issue seems to have been fixed long time back, might also need a CVE too. Upstream fixes: --------------- -> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656210#15 -> https://github.com/neutrinolabs/xrdp/commit/d8f9e8310dac362bb9578763d1024178f94f4ecc -> https://github.com/neutrinolabs/xrdp/commit/cadad6e181d2a67698e5eb7cacd6b233ae29eb97 |
A Debian bug report [1] noted that xrdp would create predictable files in /tmp. Permission-wise these files are not awful (they follow the user's umask, so for users running xrdp the files are created 0775 and for root they're created 0755); when started as a system service, xrdp runs as root. srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_00004bb9_listen_pro_done_event srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_00004bb9_main_sync srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_00004bb9_main_term srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_sesman_00004bbd_main_sync srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_sesman_00004bbd_main_term The problem seems to lie in how these files are handled. From what I can see of the code, there are no checks made to ensure the files do not exist already (which can lead to overwriting arbitrary files via symlink attacks) when they are created or removed. For instance, in sesman/sessvc/sessvc.c: 54 int APP_CC 55 chansrv_cleanup(int pid) 56 { 57 char text[256]; 58 59 g_snprintf(text, 255, "/tmp/xrdp_chansrv_%8.8x_main_term", pid); 60 if (g_file_exist(text)) 61 { 62 g_file_delete(text); 63 Also, in common/os_calls.c, the g_create_wait_obj() function is used to create many of these files, but does not seem to check for any existing files when doing so: 707 g_memset(&sa,0,sizeof(struct sockaddr_un)); 708 709 sck = socket(PF_UNIX, SOCK_DGRAM, 0); ... 714 memset(&sa, 0, sizeof(sa)); 715 sa.sun_family = AF_UNIX; 716 if ((name == 0) || (strlen(name) == 0)) 717 { 718 g_random((char*)&i, sizeof(i)); 719 sprintf(sa.sun_path, "/tmp/auto%8.8x", i); 720 while (g_file_exist(sa.sun_path)) 721 { 722 g_random((char*)&i, sizeof(i)); 723 sprintf(sa.sun_path, "/tmp/auto%8.8x", i); 724 } 725 } 726 else 727 { 728 sprintf(sa.sun_path, "/tmp/%s", name); 729 } 730 unlink(sa.sun_path); 731 len = sizeof(sa); 732 if (bind(sck, (struct sockaddr*)&sa, len) < 0) 733 { 734 close(sck); 735 return 0; 736 } 737 obj = (tbus)sck; 738 return obj; Alternatives might include using mkstemp() to create the files, or using something like /var/run/xdrp/ as a directory to store these files instead of /tmp (or using mkdtemp() to create a secure temporary directory (if running xdrp by a regular user is a valid use-case; I'm not sure if it is) in which the files can then be written. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656210