Bug 63303 - uudecode insecure output file handling can cause race condition and lead to local root exploit
uudecode insecure output file handling can cause race condition and lead to l...
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: sharutils (Show other bugs)
7.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
Aaron Brown
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-04-12 02:12 EDT by Peter Bieringer
Modified: 2007-04-18 12:41 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-04-12 08:03:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Peter Bieringer 2002-04-12 02:12:44 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.78 [en] (X11; U; Linux 2.4.17-0.18 i686)

Description of problem:
uudecode don't check, whether output filename already exists, even check not for
symlink (tested, exploitable) and not for named pipe (on the way to test)

Version-Release number of selected component (if applicable):
$ uudecode -v
uudecode - GNU sharutils 4.2.1

How reproducible:
Always

Steps to Reproduce:
User/1: Know a filename which will created by uudecode running by root in
usecure temp directories

User/2: Prepare
$ touch /home/test/wait-for-file
$ ln -s /home/test/wait-for-file /tmp/uudecode-racecondition.sh
$ stat /home/test/wait-for-file
  File: "/home/test/wait-for-file"
  Size: 0               Blocks: 0          IO Block: 8192   Regular File
Device: ch/12d  Inode: 68858       Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1001/   test)   Gid: (  100/   users)

Root/1: Got a uuencoded file, e.g.
begin 644 /tmp/uudecode-racecondition.sh
7(R$O8FEN+W-H"F5C:&\@(DAE;&QO(@H`
`
end
[contains echo "Hello"]

Root/2: Decode file
# uudecode uudecode-racecondition.uue


User/3: See expected result
$ stat /home/test/wait-for-file
  File: "/home/test/wait-for-file"
  Size: 23              Blocks: 2          IO Block: 8192   Regular File
Device: ch/12d  Inode: 68858       Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1001/   test)   Gid: (  100/   users)

$ head /home/test/wait-for-file
#!/bin/sh
echo "Hello"

See permissions: 644, owner is user!

Actual Results:  Native file is created in wrong directory with wrong
permissions

Expected Results:  uudecode checks output filename before writing any data for
being neither a symlink nor a named pipe

Additional info:

Generic (not only RHL) bugtraq posting is on the way to be written

Problem detected during looking into a installer shell program of a commercial
Linux software, which uses unsecure hardcoded uudecode filenames like
"/var/tmp/...."
Comment 1 Peter Bieringer 2002-04-12 08:03:39 EDT
See here for more: http://www.aerasec.de/security/index.html?id=ae-200204-033&lang=en
Perl pipe "exploit" works, is available
Comment 2 Ngo Than 2002-04-14 12:53:58 EDT
It's fixed in sharutils-4.2.1-9
Comment 3 Peter Bieringer 2002-07-05 05:57:41 EDT
Should we also think about protection for char and block devices and Unix domain sockets?

Note You need to log in before you can comment on or make changes to this bug.