Bug 460628 - (CVE-2008-4982) CVE-2008-4982 rkhunter: Insecure auxiliary /tmp file usage (symlink attack possible)
CVE-2008-4982 rkhunter: Insecure auxiliary /tmp file usage (symlink attack po...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
reported=20080826,public=20080824,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-29 04:26 EDT by Jan Lieskovsky
Modified: 2008-11-06 12:29 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-06 12:29:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
proposed patch using mktemp (1.08 KB, patch)
2008-08-31 12:25 EDT, Kevin Fenzi
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2008-08-29 04:26:59 EDT
The rkhuner package, as shipped within the Fedora releases is prone
to the symlink attack.

Affected file: /usr/bin/rkhunter

Relevant part of the code:

   43 if [ "$1" = "--debug" ]; then
   44         if [ -e "/tmp/rkhunter-debug" ]; then
   45                 if [ -f "/tmp/rkhunter-debug" -a ! -h "/tmp/rkhunter-debug" ]; then
   46                         rm -f /tmp/rkhunter-debug >/dev/null 2>&1
   47                 else
   48                         echo "Cannot use '--debug' option. /tmp/rkhunter-debug already exists, but it is not a file."
   49                         exit 1
   50                 fi
   51         fi
   52 
   53         DEBUG_OPT=1
   54 
   55         exec 1>/tmp/rkhunter-debug 2>&1
   56         set -x

Description:

A malicious user could precreate a symbolic link pointing to the file
'/tmp/rkhunter-debug', then run the rkhunter command to destroy / truncate
the target of the symlink to zero size.

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496366

Affected versions:

This issue affects all versions of the rkhunter package, as shipped within
the Fedora releases of 8 and 9 and the versions of the rkhunter package,
as shipped within the Extra Packages for Enterprise Linux (EPEL) project.
Comment 1 Kevin Fenzi 2008-08-31 12:19:41 EDT
The more real bug in debian seems to be: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496375
(the one you refer to is the mass bug filing against a bunch of packages tmp use). 

Debian seems to have fixed this by using mktemp for the debug file, but leaving it in /tmp/

Should we do likewise, or move the debug file to /var/run/ as well? 
Note that the current script does test the file for being a regular file, so the window for the attack is pretty small.
Comment 2 Kevin Fenzi 2008-08-31 12:25:20 EDT
Created attachment 315445 [details]
proposed patch using mktemp

Here's a proposed patch using mktemp.
Comment 3 Fedora Update System 2008-09-15 18:16:38 EDT
rkhunter-1.3.2-5.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/rkhunter-1.3.2-5.fc9
Comment 4 Fedora Update System 2008-09-15 18:20:58 EDT
rkhunter-1.3.2-5.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/rkhunter-1.3.2-5.fc8
Comment 5 Fedora Update System 2008-09-24 20:21:38 EDT
rkhunter-1.3.2-5.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-09-24 20:26:50 EDT
rkhunter-1.3.2-5.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Tomas Hoger 2008-11-06 12:28:16 EST
CVE id CVE-2008-4982 was assigned to this flaw:

rkhunter in rkhunter 1.3.2 allows local users to overwrite arbitrary
files via a symlink attack on the /tmp/rkhunter-debug temporary file.
NOTE: this is probably a different vulnerability than CVE-2005-1270.

Note You need to log in before you can comment on or make changes to this bug.