Bug 782619 - xrdp: predictable temporary files may lead to arbitrary file overwrite
Summary: xrdp: predictable temporary files may lead to arbitrary file overwrite
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 782620 782621
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-17 23:21 UTC by Vincent Danen
Modified: 2019-09-29 12:49 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-10 21:43:30 UTC
Embargoed:

Attachments (Terms of Use)

Description Vincent Danen 2012-01-17 23:21:31 UTC 
A Debian bug report [1] noted that xrdp would create predictable files in /tmp.  Permission-wise these files are not awful (they follow the user's umask, so for users running xrdp the files are created 0775 and for root they're created 0755); when started as a system service, xrdp runs as root.

srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_00004bb9_listen_pro_done_event
srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_00004bb9_main_sync
srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_00004bb9_main_term
srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_sesman_00004bbd_main_sync
srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_sesman_00004bbd_main_term

The problem seems to lie in how these files are handled.  From what I can see of the code, there are no checks made to ensure the files do not exist already (which can lead to overwriting arbitrary files via symlink attacks) when they are created or removed.

For instance, in sesman/sessvc/sessvc.c:

54 int APP_CC
55 chansrv_cleanup(int pid)
56 {
57   char text[256];
58
59   g_snprintf(text, 255, "/tmp/xrdp_chansrv_%8.8x_main_term", pid);
60   if (g_file_exist(text))
61   {
62     g_file_delete(text);
63

Also, in common/os_calls.c, the g_create_wait_obj() function is used to create many of these files, but does not seem to check for any existing files when doing so:

707   g_memset(&sa,0,sizeof(struct sockaddr_un));
708
709   sck = socket(PF_UNIX, SOCK_DGRAM, 0);
...
714   memset(&sa, 0, sizeof(sa));
715   sa.sun_family = AF_UNIX;
716   if ((name == 0) || (strlen(name) == 0))
717   {
718     g_random((char*)&i, sizeof(i));
719     sprintf(sa.sun_path, "/tmp/auto%8.8x", i);
720     while (g_file_exist(sa.sun_path))
721     {
722       g_random((char*)&i, sizeof(i));
723       sprintf(sa.sun_path, "/tmp/auto%8.8x", i);
724     }
725   }
726   else
727   {
728     sprintf(sa.sun_path, "/tmp/%s", name);
729   }
730   unlink(sa.sun_path);
731   len = sizeof(sa);
732   if (bind(sck, (struct sockaddr*)&sa, len) < 0)
733   {
734     close(sck);
735     return 0;
736   }
737   obj = (tbus)sck;
738   return obj;

Alternatives might include using mkstemp() to create the files, or using something like /var/run/xdrp/ as a directory to store these files instead of /tmp (or using mkdtemp() to create a secure temporary directory (if running xdrp by a regular user is a valid use-case; I'm not sure if it is) in which the files can then be written.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656210
Comment 1 Vincent Danen 2012-01-17 23:22:46 UTC 
Created xrdp tracking bugs for this issue

Affects: fedora-all [bug 782620]
Affects: epel-all [bug 782621]
Comment 2 pjp 2014-11-01 09:52:22 UTC 
The issue seems to have been fixed long time back, might also need a CVE too.

Upstream fixes:
---------------
  -> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656210#15

  -> https://github.com/neutrinolabs/xrdp/commit/d8f9e8310dac362bb9578763d1024178f94f4ecc

  -> https://github.com/neutrinolabs/xrdp/commit/cadad6e181d2a67698e5eb7cacd6b233ae29eb97
Note You need to log in before you can comment on or make changes to this bug.