Insecure Temporary File Creation During Build: Arbitrary Code Execution
1. SUMMARY
Product : Vim -- Vi IMproved
Versions : >=5.0 (possibly older; 4.6 and 3.0 not vulnerable), <7.2b.014
Impact : Arbitrary code execution
Wherefrom: Local
Original : http://www.rdancer.org/vulnerablevim-configure.in.html
http://www.rdancer.org/vulnerablevim-configure.in.patch
Insecure temporary file creation during the build process is vulnerable
to symbolic link attacks, and arbitrary code execution. Patch provided.
Update: There is no race condition. All files can be prepared
beforehand, facilitating a reliable attack.
2. BACKGROUND
``Vim is an almost compatible version of the UNIX editor Vi. Many new
features have been added: multi-level undo, syntax highlighting,
command line history, on-line help, spell checking, filename
completion, block operations, etc.''
-- Vim README.txt
3. VULNERABILITY
During the build process, a temporary file with a predictable name is
created in the ``/tmp'' directory. This code is run when Vim is being
build with Python support:
src/configure.in:
677 dnl -- we need to examine Python's config/Makefile too
678 dnl see what the interpreter is built from
679 AC_CACHE_VAL(vi_cv_path_python_plibs,
680 [
681 tmp_mkf="/tmp/Makefile-conf$$"
(1) 682 cat ${PYTHON_CONFDIR}/Makefile - <<'eof' >${tmp_mkf}
683 __:
684 @echo "python_MODLIBS='$(MODLIBS)'"
685 @echo "python_LIBS='$(LIBS)'"
686 @echo "python_SYSLIBS='$(SYSLIBS)'"
687 @echo "python_LINKFORSHARED='$(LINKFORSHARED)'"
688 eof
689 dnl -- delete the lines from make about Entering/Leaving directory
(2) 690 eval "`cd ${PYTHON_CONFDIR} && make -f ${tmp_mkf} __ | sed '/ directory /d'`"
691 rm -f ${tmp_mkf}
The attacker has to create the temporary file
``/tmp/Makefile-conf<PID>'' before it is first written to at (1). In
the time between (1) and (2), arbitrary commands can be written to the
file. They will be executed at (2). Update: if the file is not
writable, the truncation at (1) will not happen[2]. The attacker may
create files for all the possible PID values in advance:
time perl -e 'foreach (1..32768){ symlink "/path/to/exploit",
"/tmp/Makefile-conf$_" }'
real 0m30.963s
user 0m0.072s
sys 0m29.694s
3. TEST CASE
No test case.
4. PATCH
Patch fixing this vulnerability can be found at the following URL:
http://www.rdancer.org/vulnerablevim-configure.in.patch
Please note: The patch fixes ``src/configure.in'', an input file used by
the ``autoconf'' command. ``autoconf'' uses this input file to create
``src/auto/configure''. It is necessary to remove the latter, if
present, to force its recreation. Otherwise, further build runs will
still use it, and the vulnerability will still be present.
Patch 7.2b.014[1] fixes this vulnerability.
5. REFERENCES
[1] Patch 7.2b.014
Message-Id: <200807241424.m6OEOXd4017351@moolenaar.net>
http://groups.google.com/group/vim_dev/msg/302b0c87138dea0d
http://ftp.vim.org/pub/vim/unstable/patches/7.2b/7.2b.014
[2] Thanks to Robert Buchholz for pointing this out in:
Message-Id: <200807250317.30880.rbu@gentoo.org>
http://lists.grok.org.uk/pipermail/full-disclosure/2008-July/063444.html
6. COPYRIGHT
This advisory is Copyright 2008 Jan Minar <rdancer@rdancer.org>
Copying welcome, under the Creative Commons ``Attribution-Share Alike''
License http://creativecommons.org/licenses/by-sa/2.0/uk/
Code included herein, and accompanying this advisory, may be copied
according to the GNU General Public License version 2, or the Vim
license. See the subdirectory ``licenses''.
Various portions of the accompanying code were written by various
parties. Those parties may hold copyright, and those portions may be
copied according to their respective licenses.
7. HISTORY
2008-07-26 Update: There is no race condition
2008-07-24 Added info on Patch 7.2b.014 (fixes the vulnerability)
2008-07-18 Formatting changes
2008-07-17 Sent to: <bugs@vim.org>, <vim-dev@vim.org>
<full-disclosure@lists.grok.org.uk>,
<bugtraq@securityfocus.com>