Red Hat Bugzilla – Bug 460628
CVE-2008-4982 rkhunter: Insecure auxiliary /tmp file usage (symlink attack possible)
Last modified: 2008-11-06 12:29:20 EST
The rkhuner package, as shipped within the Fedora releases is prone
to the symlink attack.
Affected file: /usr/bin/rkhunter
Relevant part of the code:
43 if [ "$1" = "--debug" ]; then
44 if [ -e "/tmp/rkhunter-debug" ]; then
45 if [ -f "/tmp/rkhunter-debug" -a ! -h "/tmp/rkhunter-debug" ]; then
46 rm -f /tmp/rkhunter-debug >/dev/null 2>&1
48 echo "Cannot use '--debug' option. /tmp/rkhunter-debug already exists, but it is not a file."
49 exit 1
55 exec 1>/tmp/rkhunter-debug 2>&1
56 set -x
A malicious user could precreate a symbolic link pointing to the file
'/tmp/rkhunter-debug', then run the rkhunter command to destroy / truncate
the target of the symlink to zero size.
This issue affects all versions of the rkhunter package, as shipped within
the Fedora releases of 8 and 9 and the versions of the rkhunter package,
as shipped within the Extra Packages for Enterprise Linux (EPEL) project.
The more real bug in debian seems to be:
(the one you refer to is the mass bug filing against a bunch of packages tmp use).
Debian seems to have fixed this by using mktemp for the debug file, but leaving it in /tmp/
Should we do likewise, or move the debug file to /var/run/ as well?
Note that the current script does test the file for being a regular file, so the window for the attack is pretty small.
Created attachment 315445 [details]
proposed patch using mktemp
Here's a proposed patch using mktemp.
rkhunter-1.3.2-5.fc9 has been submitted as an update for Fedora 9.
rkhunter-1.3.2-5.fc8 has been submitted as an update for Fedora 8.
rkhunter-1.3.2-5.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
rkhunter-1.3.2-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
CVE id CVE-2008-4982 was assigned to this flaw:
rkhunter in rkhunter 1.3.2 allows local users to overwrite arbitrary
files via a symlink attack on the /tmp/rkhunter-debug temporary file.
NOTE: this is probably a different vulnerability than CVE-2005-1270.