TRIPWIRE - Insecure Temporary Files Handling gives root
Tripwire is a policy driven file system integrity checking tool that allows system administrators to verify the integrity of their data. The product opens/creates temporary files insecurely. For example, insecure temporary files are created when scanning the file system and updating tripwire database. This would allow an attacker to overwrite local file (symlinks attack)
Tripwire opens/creates temporary files in /tmp without O_EXCL flag. These temporary filenames are created with mktemp systemcall. This makes it possible for a local user to overwrite files with root (user running tripwire) permissions....
Insecure Temporary Files Handling in Tripwire
Summary
Tripwire is a policy driven
file system integrity checking tool that allows system administrators to verify the
integrity of their data. The product opens/creates temporary files insecurely. For
example, insecure temporary files are created when scanning the file system and updating
tripwire database. This would allow an attacker to overwrite local file (symlinks attack).
Details
Vulnerable systems:
Tripwire version 2.2.1
Tripwire version 2.3.0
Tripwire version ASR 1.3.1
Immune systems:
Tripwire version 2.3.1-2
Tripwire opens/creates temporary files in /tmp without O_EXCL flag. These temporary
filenames are created with mktemp systemcall. This makes it possible for a local user to
overwrite files with root (user running tripwire) permissions.
Insecure files are created at least when running:
tripwire --check
tripwire --update -r reportdir/reportfile
tripwire --check --email-report
Tripwire-2.2.1 for Linux (the binary version available from http://www.tripwire.com) seems
to be the easiest to exploit because it is statically linked with mktemp that uses the PID
of tripwire for creating the 'unique' filename. In all tests conducted with this version,
the temporary filename was /tmp/twtempaPID.
Solution:
Install fixed tripwire and use the new TEMPDIRECTORY configuration option so tripwire can
use only root writable temporary directory (e.g. /root/tmp).
Note: tripwire-2.3.1-2 (from SourceForge) still has one unsafe temporary file open (see
tripwire-2.3.1-2/src/core/archive.cpp cLockedTemporaryFileArchive::OpenReadWrite).
Possible workaround:
It appears possible to patch binary tripwire (2.2.1) to create temporary files in a
directory other than /tmp. To do this, edit the tripwire binaries: siggen, tripwire,
twadmin and twprint, and replace the twtempXXXXXX strings with e.g. tw/tmpXXXXXX. Now
tripwire creates temporary files in /tmp/tw directory (The /tmp/tw directory should be
owned by root and writable only by root).
Additional information
The information has been provided by Jarno
Huuskonen.
References: 1. David A. Wheeler: Secure Programming for Linux and UNIX HOWTO. http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/avoid-race.html
2. Kris Kennaway's post to Bugtraq about temporary files. http://lwn.net/2000/1221/a/sec-tmp.php3
3. Creating Secure Software: http://www.eforceglobal.com/pdf/whitepapers/SecureSoftwa