Bug 782619 - xrdp: predictable temporary files may lead to arbitrary file overwrite
xrdp: predictable temporary files may lead to arbitrary file overwrite
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120117,reported=2...
: Security
Depends On: 782620 782621
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-17 18:21 EST by Vincent Danen
Modified: 2016-06-10 17:43 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-10 17:43:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-01-17 18:21:31 EST
A Debian bug report [1] noted that xrdp would create predictable files in /tmp.  Permission-wise these files are not awful (they follow the user's umask, so for users running xrdp the files are created 0775 and for root they're created 0755); when started as a system service, xrdp runs as root.

srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_00004bb9_listen_pro_done_event
srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_00004bb9_main_sync
srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_00004bb9_main_term
srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_sesman_00004bbd_main_sync
srwxr-xr-x 1 root root 0 Jan 11 13:06 /tmp/xrdp_sesman_00004bbd_main_term

The problem seems to lie in how these files are handled.  From what I can see of the code, there are no checks made to ensure the files do not exist already (which can lead to overwriting arbitrary files via symlink attacks) when they are created or removed.

For instance, in sesman/sessvc/sessvc.c:

54 int APP_CC
55 chansrv_cleanup(int pid)
56 {
57   char text[256];
58
59   g_snprintf(text, 255, "/tmp/xrdp_chansrv_%8.8x_main_term", pid);
60   if (g_file_exist(text))
61   {
62     g_file_delete(text);
63

Also, in common/os_calls.c, the g_create_wait_obj() function is used to create many of these files, but does not seem to check for any existing files when doing so:

707   g_memset(&sa,0,sizeof(struct sockaddr_un));
708
709   sck = socket(PF_UNIX, SOCK_DGRAM, 0);
...
714   memset(&sa, 0, sizeof(sa));
715   sa.sun_family = AF_UNIX;
716   if ((name == 0) || (strlen(name) == 0))
717   {
718     g_random((char*)&i, sizeof(i));
719     sprintf(sa.sun_path, "/tmp/auto%8.8x", i);
720     while (g_file_exist(sa.sun_path))
721     {
722       g_random((char*)&i, sizeof(i));
723       sprintf(sa.sun_path, "/tmp/auto%8.8x", i);
724     }
725   }
726   else
727   {
728     sprintf(sa.sun_path, "/tmp/%s", name);
729   }
730   unlink(sa.sun_path);
731   len = sizeof(sa);
732   if (bind(sck, (struct sockaddr*)&sa, len) < 0)
733   {
734     close(sck);
735     return 0;
736   }
737   obj = (tbus)sck;
738   return obj;

Alternatives might include using mkstemp() to create the files, or using something like /var/run/xdrp/ as a directory to store these files instead of /tmp (or using mkdtemp() to create a secure temporary directory (if running xdrp by a regular user is a valid use-case; I'm not sure if it is) in which the files can then be written.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656210
Comment 1 Vincent Danen 2012-01-17 18:22:46 EST
Created xrdp tracking bugs for this issue

Affects: fedora-all [bug 782620]
Affects: epel-all [bug 782621]

Note You need to log in before you can comment on or make changes to this bug.